[Please label comments about this section with the subject: “Applicability”]
The discussion below describes the entities and the information that would be subject to the proposed regulation.
The standards in this proposed regulation would apply to all health plans, all health care clearinghouses, and all health care providers that transmit health information in an electronic form in connection with a standard transaction. In this proposed rule, these entities are referred to as “covered entities.” See definition at proposed § 160.103.
A health plan is defined by section 1171 to be an individual or group plan that provides for, or pays the cost of, medical care. The statute expressly includes a significant group of employee welfare benefit plans, state-regulated insurance plans, managed care plans, and essentially all government health plans, including Medicare, Medicaid, the veterans health care program, and plans participating in the Federal Employees Health Benefits Program. See discussion of the definition in section II.B.
A health care provider would be a provider of services as defined in section 1861(u) of the Act, 42 U.S.C. 1395x, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes, bills or is paid for health care services or supplies in the normal course of business. See discussion of the definition in section II.B. Health care providers would be subject to the provisions of the rule if they transmit health information in electronic form in connection with a standard transaction. Standard transactions include claims and equivalent encounter information, eligibility and enrollment transactions, premium payments, claims attachments, and others. See proposed § 160.103. Health care providers who themselves do not directly conduct electronic transactions would become subject to the provisions of the proposed rule if another entity, such as a billing agent or hospital, transmits health information in electronic form in connection with a standard transaction on their behalf.
A health care clearinghouse would be a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. See section 1171(2) of the Act. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, "value-added" networks, switches and similar organizations to be health care clearinghouses for purposes of this part only if they actually perform the same functions as a health care clearinghouse. See discussion of the definition in section II.B.
We propose to apply the standards in this proposed regulation to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity, including such information when it is in non-electronic form (e.g., printed on paper) or discussed orally. In this proposed regulation, such information is referred to as “protected health information.” See discussion of the definition in section II.B. Under HIPAA, our authority to promulgate privacy standards extends to all individually identifiable health information, in any form, maintained or transmitted by a covered entity. For reasons discussed below, we are proposing to limit the application of the proposed standards to protected health information. Below we invite comment on whether we should apply the standards to a broader set of individually identifiable health information in the future.
Under the proposal, the standards apply to information, not to specific records. Thus, once protected health information is transmitted or maintained electronically, the protections afforded by this regulation would apply to the information in any form and continue to apply as the information is printed, discussed orally or otherwise changed in form. It would also apply to the original paper version of information that is at some point transmitted electronically. The authority for, and implications of, this scope are discussed in detail in this section, below.
This proposed regulation would not apply to information that has never been electronically maintained or transmitted by a covered entity.
Under HIPAA, we have authority to promulgate a privacy standard that applies to all individually identifiable health information transmitted or maintained by a covered entity, including information in a non-electronic form. We recognize that there may be an expectation that we would apply privacy standards only to information that is electronically maintained and transmitted. Our prior proposals under HIPAA have addressed only electronically maintained and transmitted information. See Notices of Proposed Rulemaking (NPRM) published on May 7, 1998 (63 FR 25272 and 25320), June 16, 1998 (63 FR 32784), and the proposed security standards published on August 12, 1998 (63 FR 43242).
In considering the appropriate reach of the proposed privacy standards, however, we determined that limiting the standards to electronic information would not be consistent with the requirement in HIPAA for the Secretary to address privacy, confidentiality and security concerns relating to individually identifiable health information.
The HIPAA statute, taken as a whole, contemplates an information protection system that assures the privacy, confidentiality and integrity of health information. Two provisions in subtitle F of HIPAA address privacy and confidentiality concerns: section 264, titled “Recommendations with Respect to Privacy of Certain Health Information” and section 1173(d), titled “Security Standards for Health Information.” See 42 U.S.C. 1320d - 1320d-8, enacted as sections 262 and 264 of HIPAA.
In enacting HIPAA, Congress recognized that the increased accessibility of health information made possible by the widespread and growing use of electronic media and the new federal mandate for increased standardization of data, requires enhanced privacy and confidentiality protections. The House Report links privacy and security concerns stating: “The standards adopted would protect the privacy and confidentiality of health information. Health information is considered relatively “safe” today, not because it is secure, but because it is difficult to access. These standards improve access and establish strict privacy protections.” House Report No. 496, 104th Cong., 2d. Sess., at 99.
Section 264(c) authorizes the Secretary to protect the privacy of individually identifiable health information transmitted in connection with the standard transactions. Section 1173(d) authorizes the Secretary to prescribe requirements that address the security, integrity, and confidentiality of health information maintained or transmitted, in any form or medium, by the covered entities.
Neither the privacy authority in section 264(c) nor the security authority in 1173(d) exclusively limit the scope of protection to electronic information. Section 264(c) of HIPAA requires the Secretary to issue a regulation setting privacy standards for individually identifiable health information “transmitted in connection with the transactions described in section 1173(a).” This statutory language is not on its face limited to electronic transmissions of individually identifiable health information, although electronic transmissions of such information are clearly within its scope. Moreover, the section requires the regulations to address “at least” the subjects of the Secretary’s Recommendations, which focus on individually identifiable health information, without reference to whether the information is electronic or not.
The security provision also is not limited by its terms to electronically maintained information. Rather, section 1173(d) applies throughout to “health information,” a statutorily defined term that clearly covers information in both its electronic and non-electronic forms.
In HIPAA, when Congress intended to limit health information to its electronic form, it did so explicitly. Section 1172(a)(3) of the statute says that the standards apply to health plans and to health care providers who transmit health information in electronic form in connection with the standard transactions (emphasis added); by contrast, the section 1173(d) requirements for information maintained or transmitted are not similarly qualified.
Further support for the premise that the standards may reach information that is maintained or transmitted non-electronically is found within section 1173(d) itself. That section explicitly distinguishes within one subsection (§ 1173(d)(1)(A)) between “record systems used to maintain health information” and “computerized record systems.” Thus, the conclusion may be drawn that the record systems covered by the § 1173(d) security standards are intended to include record systems other than those that are exclusively electronic or “computerized.”
Finally, the section that generally defines the HIPAA standard transactions, section 1173(a), is not limited by its terms to transactions that are electronic. Rather, although all of the transactions described can be performed electronically, all take paper and some take oral forms as well. Indeed, the purpose of the standards, including the security and privacy standards, is stated as “to enable electronic exchange.” This purpose would not preclude (and in fact would support) requirements that relate to non-electronic media where they support the overall goal of enabling electronic information exchange. Thus, we believe that the statute authorizes a privacy regulation covering health information in any form or medium maintained or transmitted by the covered entities.
Although we believe that HIPAA authorizes the Secretary to issue regulations covering individually identifiable health information in any form, the proposed privacy standards in this NPRM are directed to protecting only individually identifiable health information that is or at some point has been electronically maintained or transmitted by a covered entity. Those standards do not cover health information that has never been in electronic form.
We are proposing this approach because we believe that it focuses most directly on the primary concern raised by HIPAA: the fact that growing use of computerization in health care, including the rapid growth of electronic transfers of health information, gives rise to a substantial concern about the confidentiality of the health care information that is part of this growing electronic commerce. At the same time, could not adequately address the confidentiality concerns associated with electronic transfers of health information unless we address the resulting uses and disclosures of such information, in whatever form. Indeed, the protection offered by this standard would be devoid of meaning if all non-electronic records and transmissions were excluded. In that event, access to “protected” health information would become merely a matter of obtaining the information in a paper or oral form. Such a narrow reading of the statute would lead to a system in which individually identifiable health information transmitted as part of a claim would be protected only until the information was printed or read aloud, at which point protection would disappear. Previously protected information could be freely printed and redistributed, regardless of limits on further electronic redistribution. The statutory language does not compel such an anomalous result.
In developing our proposal, we considered other approaches for determining the information that would be subject to the privacy standards. We considered but rejected limiting the scope of the proposal to information in electronic form. For the reasons discussed above, such a narrow interpretation would render the standards nearly meaningless. We also considered applying the privacy standards to all individually identifiable health information in any form maintained or transmitted by a covered entity. There are clear advantages to this approach, including permitting covered entities to treat all individually identifiable health information under the same standards. We rejected that approach in favor of our proposed approach which we believe is more focused at the public concerns over health information confidentiality in an electronic communications age. We also were concerned about imposing additional burden with respect to health information that was less likely to present privacy concerns: paper records that are never reduced to electronic form are less likely to become disseminated broadly throughout the health care system. We invite comment on the approach that we are proposing and on whether alternate approaches to determining the health information that would be subject to this regulation would be more appropriate.
We also considered making use of other statutory authorities under which we impose general operating or management conditions for programs (e.g., Medicare, grant programs) to enhance these proposed privacy protections. Doing so could enable us to apply these privacy standards to a wider range of entities than are currently affected, such as health care providers who do not transmit standard transactions electronically. We use many other authorities now to impose confidentiality and privacy requirements, although the current rules lack consistency. It is not clear whether using these other authorities would create more uniform protections or expanded enforcement options. Therefore we request comment on the concept of drawing on other authorities to amplify the protections of these privacy standards.
Once transmitted or maintained electronically, protected health information is often mixed with unprotected health information in the same record. For example, under the proposed rules, information from a medical record that is electronically transmitted by a provider to a health plan and then returned to the original record would become protected health information, even though the rest of the information contained in the paper record may not be subject to these privacy rules.
We reiterate that under the proposed rule, the protections would apply to the information itself, not to the particular record in which it is contained or transmitted. Therefore, an entity could not maintain duplicate records and only apply the protections to the information contained in the record that is electronically maintained or transmitted. For example, once an individual’s name and diagnostic code is transmitted electronically between covered entities (or business partners), that information must be protected by both the transmitting and receiving entities in every record, written, electronic or other, in which it appears.
We recognize that this approach may require some additional administrative attention to mixed records (records containing protected and unprotected health information) to ensure that the handling of protected health information conforms with these regulations. We considered ways to limit application of these protections to avoid such potential administrative concerns. However, these regulations would have little effect if not applicable to otherwise protected health information simply because it was combined with unprotected health information – any information could be lawfully disclosed simply by including some additional information. Likewise, these regulations would have no meaning if entities could then avoid applying the protections merely by maintaining separate duplicate records. A way to limit these rules to avoid application to mixed information without sacrificing basic protections is not apparent.
Unlike the potential issues inherent in the protection of oral information, there may be relatively simple ways to reduce possible confusion in protecting mixed records. The risk of inappropriate use or disclosure of protected health information in a mixed record can be eliminated simply by handling all information in mixed records as if it were protected. It also may be possible to develop a “watermark” analogous to a copyright label, designating which written information is protected. We welcome comments on how best to protect information in mixed records, without creating unnecessary administrative burdens.
Finally, we recognize that these rules may create awkward boundaries and enforcement ambiguities, and seek comment on how best to reduce these ambiguities while maintaining the basic protections mandated by the statute.
The privacy standards in this proposed regulation would be closely integrated with other standards that have been proposed under the HIPAA Administrative Simplification title. This is particularly true with respect to the proposed security standards published on August 12, 1998 (63 FR 43242).
We understand that we are proposing a broader scope of applicability with respect to covered information under these privacy standards than we have previously proposed under the security standard. We intend to solicit additional comments regarding the scope of information that should be addressed under the security standard in the near future.
We also recognize that in this NPRM we are publishing slightly different definitions for some of the concepts that were defined in previously published NPRMs for the other standards. The differences resulted from the comments received on the previous NPRMs as well as the conceptual work done in the development of this NPRM. As we publish the final rules, we will bring all the definitions into conformance.
The provisions we propose in this rule would interact with numerous other laws. For example, proposed § 164.510 provides standards for certain uses or disclosures that are permitted in this rule, and in some cases references activities that are authorized by other applicable law, such as federal, State, tribal or territorial laws. In cases where this rule references "law" or "applicable law" we intend to encompass all applicable laws, decisions, rules, regulations, administrative procedures or other actions having the effect of law. We do not intend to exclude any applicable legal requirements imposed by a governmental body authorized to regulate in a given area. Where particular types of law are at issue, such as in the proposed provisions for preemption of State laws in subpart B of part 160, or permitted disclosures related to the Armed Forces in § 164.510(m), we so indicate by referring to the particular type of law in question (e.g., "State law" or "federal law").
When we describe an action as "authorized by law," we mean that a legal basis exists for the activity. The phrase "authorized by law" is a term of art that includes both actions that are permitted and actions that are required by law. When we specifically discuss an action that is "required" or "mandated," we mean that a law compels (or conversely, prohibits) the performance of the activity in question. For example, in the health oversight context, disclosure of health information pursuant to a valid Inspector General subpoena, grand jury subpoena, civil investigative demand, or a statute or regulation requiring production of information justifying a claim would constitute a disclosure required by law.