[Please label comments about this section with the subject: "Health oversight"]
In section § 164.510(c), we propose to allow covered entities to disclose protected health information to public oversight agencies (and to private entities acting on behalf of such agencies) without individual authorization, for health oversight activities authorized by law. In cases in which a covered entity is also an oversight agency, it would be permitted to use protected health information in all cases in which it would be permitted to disclose such information for health oversight activities under this section.
Oversight activities are critical to support national priorities, including combating fraud in the health care industry, ensuring nondiscrimination, and improving the quality of care. The goals of public agencies' oversight activities are: to monitor the fiscal and programmatic integrity of health programs and of government benefit programs; to ensure that payments or other benefits of these programs are being provided properly; to safeguard health care quality; to monitor the safety and efficacy of medical products; and to ensure compliance with statutes, regulations, and other administrative requirements applicable to public programs and to health care delivery.
Oversight activities are a national priority in part because of the losses in the healthcare system due to error and abuse. For example, the HHS Office of Inspector General recently estimated losses due to improper Medicare benefit payments to be about seven percent. See "Improper Fiscal Year 1998 Medicare Fee-For Service-Payments," transmittal from Inspector General June Gibbs Brown to HCFA Administrator Nancy-Ann Min DeParle (February 9, 1999). Similarly, the final report of the President's Advisory Commission on Consumer Protection and Quality in the Health Care Industry concluded that "employing the extensive knowledge and expertise of organizations that oversee health care quality . . . is essential to quality improvement." (http://www.hcqualitycommission.gov/final/chap09.html)
There are certain oversight activities done as statistical inquiries that can be conducted without direct access to individually identifiable health information. However, many instances exist in which government oversight agencies, and private entities under contracting to act on their behalf, need to examine individually identifiable health information to conduct their investigations effectively. For example, to determine whether a hospital has engaged in fraudulent billing practices, it could be necessary to examine billing records for a set of individual cases. Billing abuses are detected by cross-checking the records of specific patients to see the medical documentation in support of a service. To determine whether a health plan is complying with federal or State health care quality standards, it may be necessary to examine individually identifiable health information . Other inquiries require review of individually identifiable health information to identify specific instances of the anomalies in treatment or billing patterns detected in statistical analysis. Even in most statistical inquiries of the type just described, in a paper environment particular patient charts must be examined, and the patient's name would be disclosed because it would be on each page of the chart.
Specifically, we would permit covered entities to disclose protected health information without individual authorization to a health oversight agency to conduct oversight activities authorized by law. Disclosures also could be made to private entities working under a contract with or grant of authority from one or more of the government oversight agencies described above. As discussed below, oversight activities by private entities operating pursuant to contracts with covered entities, such as accreditation organizations, would not be permitted to receive information under this provision, even if accreditation by such an organization is recognized by law as fulfilling a government requirement or condition of participation in a government program (often referred to as "deemed status").
Under our rule, oversight activities would include conducting or supervising the following activities: audits; investigations; inspections; civil, criminal or administrative proceedings or actions; and other activities necessary for appropriate oversight of the health care system, of government benefit programs for which health information is relevant to beneficiary eligibility, and of government regulatory programs for which health information is necessary for determining compliance with program standards. This regulation does not create any new right of access to health records by oversight agencies, and could not be used as authority to obtain records not otherwise legally available to the oversight agency.
Under our rule, a health oversight agency would be defined as a public agency authorized by law to conduct oversight activities relating to the health care system, a government program for which health information is relevant to determining beneficiary eligibility or a government regulatory program for which health information is necessary for determining compliance with program standards. Examples of agencies in the first category would include State insurance commissions, State health professional licensure agencies, Offices of Inspectors General of federal agencies, the Department of Justice, State Medicaid fraud control units, Defense Criminal Investigative Services, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights, and the FDA. Examples of agencies in the second category include the Social Security Administration and the Department of Education. Examples of agencies in the third category include the workplace safety programs such as the Occupational Health and Safety Administration and the Environmental Protection Agency. Agencies that conduct both oversight and law enforcement activities would be subject to this provision when conducting oversight activities.
In cases where health oversight agencies are working in tandem with other agencies overseeing public benefit programs to address compliance, fraud, or other integrity issues that could span across programs, the oversight activities of the team would be considered health oversight and disclosure to and among team members would be permitted under the proposed rule to the extent permitted under other law. For example, a fraud investigation could attempt to find a pattern of abuse across related programs, such as Medicaid and the supplemental security income program. Protected health information could be disclosed to the team of oversight agencies and could be shared among such agencies for oversight activities.
Public oversight agencies sometimes contract with private entities to conduct program integrity activities on a public agency's behalf. Such audits or investigations may include, for example, program integrity reviews of fraud and abuse in billing Federal and State health care programs; investigations conducted in response to consumer complaints regarding the quality or accessibility of a particular provider, health plan, or facility; and investigations related to disciplinary action against a health care provider, health plan, or health care facility. Covered entities may disclose protected health information to these agents to the extent such disclosure would be permitted to the public oversight body.
In many cases today, public agencies' contracts with private entities conducting investigations on their behalf require the private oversight organization to implement safeguards to protect individual privacy. HIPAA does not provide statutory authority to regulate the contracts between public oversight entities and their agents. However, we encourage public oversight entities to include privacy safeguards in all such contracts, and believe it would be appropriate for federal legislation to impose such safeguards.
In developing our proposal, we considered but rejected the option of providing an exemption from the general rules for situations in which a covered entity has a contract with a private accreditation organization to conduct an accreditation inspection. In such instances, the accreditation organization is performing a service for the covered entity much like any other contractor. The situation is not materially different in instances where accreditation from a private organization would have the effect of "deeming" the covered entity to be in compliance with a government standard or condition of participation in a government program. In both cases, the accreditation organization is performing a service for the covered entity, not for the government. In our considerations, we were unable to identify a reason that covered entities should hold these contractors to lesser standards than their other contractors. Individuals' privacy interests would not be diminished in this situation, nor is there any reason why such accreditation organizations should not be held to the requirements described above for business partners. Proposed rules for disclosure to these entities are discussed in section II.C.5., "Application to business partners." We invite comment on our proposed approach.
We do not propose any new administrative or judicial process prior to disclosure. This regulation would permit disclosure of protected health information without compulsory process where such disclosure is otherwise allowed. However, this regulation also would not abrogate or modify other statutory requirements for administrative or judicial determinations or for other procedural safeguards, nor would it permit disclosures forbidden by other law.
Under this § 164.518(c), covered entities would have an obligation to verify the identity of the person requesting protected health information and the legal authority behind the request before the disclosure would be permitted under this subsection. Preamble section II.G.3. describes these requirements in more detail.