[Federal Register: November 3, 1999 (Volume 64, Number 212)]
[Proposed Rules]
[Page 60017-60065]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr03no99-69]

[[pp. 60017-60065]] Standards for Privacy of Individually Identifiable Health
Information

[[Continued from page 60016]]

[[Page 60017]]

patient demand for access, amendment, and correction of medical
records.
    Our cost calculations assume that persons who request an
opportunity to amend or correct their record have already obtained a
copy of their medical record. Therefore, the administrative cost of
amending and correcting the patient's record is completely separate
from inspection and copying costs. In this section we have only
addressed the cost of disputing a factual statement within the patient
record, and do not calculate the cost of appeals or third party review.
    Administrative review of factual statements contained within a
patient's record may be expensive. Most errors may be of a nature that
a clerk or nurse can correct (e.g., the date of a procedure is
incorrect) but some may require physician review. Thus, we have
estimated that the average cost of amending and correcting a patient
record may be $75 per instance.
    If amendment and correction requests are associated with two-thirds
of requests for inspection and copying, and the cost of correcting (or
noting the patient's request for correction) is $75, the total cost of
amending and correcting patient records will be $407 million annually,
or $2 billion over five years. Comments on our estimate of amendment
and correction costs would be helpful, particularly if they speak to
current amendment and correction costs or frequency in the health care
industry.
Reconstructing a History of Disclosures (Other Than for Treatment and
Payment)
    To our knowledge, no current State law or professional code
requires providers and plans to maintain the capability to reconstruct
a patient's health information history. Therefore, the requirement in
this rule to be able to reconstruct the disclosure history of protected
health information is completely new. Although it is likely that some
providers and plans have already developed this capability, we assume
that all providers and plans would be required to invest in developing
the capacity to generate disclosure histories.
    With respect to reconstruction of disclosure history, two sets of
costs would exist. On electronic records, fields for disclosure reason,
information recipient, and date would have to be built into the data
system. The fixed cost of the designing the system to include this
would be a component of the $90 million additional costs discussed
earlier. The ongoing cost would be the data entry time, which should be
at de minimis levels. Comments would again be especially useful with
respect to the extent to which recording the additional information
goes beyond current practice.
Authorizations
    Although many States have laws that require entities to obtain
patient authorization before releasing individually identified health
information to payers and other third parties, many of the
authorization requirements either allow for blanket authorizations that
deprive the patient of meaningful control over the release of their
health information, or the authorization statutes are less stringent
than the provisions of the proposed rule. Therefore, for purposes of
estimating the economic impact of the NPRM, we are assuming that all
providers and plans will have to develop new procedures to conform to
the proposed rule.
    Written patient authorization requirements will generate costs, to
the extent covered entities are currently releasing information in the
targeted circumstances without specific authority. Collecting such
authorization should have costs on the order of those associated with
providing access to records (not on a per page basis). The frequency of
such collections is unknown. Since the requirement does not apply to
treatment and payment, assuming 1 percent of the 543 million encounters
over five years might be reasonable. At a cost of about $10 each, the
aggregate cost would be about $54 million annually, or $271 million
over five years. Comments would be especially useful from entities
currently following such procedures.
Training
    The ongoing costs associated with paperwork and training are likely
to be minimal. Because training happens as a regular business practice,
and employee certification connected to this training is also the norm,
we estimate that the marginal cost of paperwork and training is likely
to be small. We assume a cost of approximately $20 per provider office,
and approximately $60-100 for health plans and hospitals. Thus, we
estimate that the total cost of paperwork and training will be $22
million a year.
Conclusion
    Overall, the five-year costs beyond those already shown in the
administrative simplification estimates would be about $3.8 billion
over five years, with an estimated range of $1.8 to $6.3 billion. Table
2 shows the components described above. The largest cost item is for
amendment and correction, which is over half of the estimated total
cost of the regulation. Inspection and copying, at $405 million over
five years, and issuance of notices by providers and plans, at $439
million over five years, are the second biggest components. The one-
time costs of development of policies and procedures by providers would
represent approximately 10 percent of the total cost, or $333 million.
Plans and clearinghouses would have a substantially smaller cost, about
$62 million. Other systems changes are expected to cost about $90
million over the period. Finally, the estimates do not consider all of
the costs imposed by the regulation.

                      Table 2.--The Cost of Complying With the Proposed Privacy Regulation
                                                  [In Dollars]
----------------------------------------------------------------------------------------------------------------
                                                                    Initial or      Annual cost      Five year
                            Provision                               first year       after the      (2000-2004)
                                                                    cost (2000)     first year         cost
----------------------------------------------------------------------------------------------------------------
Development of Policies and Procedures--Providers (totaling         $333,000,000  ..............    $333,000,000
 871,294).......................................................
Development of Policies and Procedures--Plans (totaling 18,225).      62,000,000  ..............      62,000,000
System Changes--All Entities....................................      90,000,000  ..............      90,000,000
Notice Development Cost--all entities...........................      20,000,000  ..............      30,000,000
Notice Issuance--Providers......................................      59,730,000      37,152,000     208,340,000
Notice Issuance--Plans..........................................      46,200,000      46,200,000     231,000,000
Inspection/Copying..............................................      81,000,000      81,000,000     405,000,000
Amendment/Correction............................................     407,000,000     407,000,000   2,035,000,000
Written Authorization...........................................      54,300,000      54,300,000     271,500,000

[[Page 60018]]

Paperwork/Training..............................................      22,000,000      22,000,000     110,000,000
Other Costs *...................................................           **N/E             N/E             N/E
                                                                 -----------------------------------------------
    Total.......................................................   1,165,230,000     647,652,000   3,775,840,000
----------------------------------------------------------------------------------------------------------------
* Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI;
  creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement;
  the designation of a privacy official and creation of a privacy board; additional requirements on research/
  optional disclosures that will be imposed by the regulation.
** N/E = ``Not estimated''.

Costs to the Federal Government
    The proposed rule will have a cost impact on various federal
agencies that administer programs that require the use of individual
health information. Federal agencies or programs clearly affected by
the rule are those that meet the definition of a covered entity. The
costs when government entities are serving as providers are included in
the total cost estimates. However, non-covered agencies or programs
that handle medical information, either under permissible exceptions to
the disclosure rules or through an individual's expressed
authorization, will likely incur some costs complying with provisions
of this rule. A sample of federal agencies encompassed by the broad
scope of this rule include the: Department of Health and Human
Services, Department of Defense, Department of Veterans Affairs,
Department of State, and the Social Security Administration.
    The federal costs of complying with the regulation are included in
the estimates of total costs. The greatest cost and administrative
burden on the federal government will fall to agencies and programs
that act as covered entities, by virtue of being either a health plan
or provider. Examples include the Medicare, Medicaid, Children's Health
Insurance and Indian Health Service programs at the Department of
Health and Human Services; the CHAMPVA health program at the Department
of Veterans Affairs; and the TRICARE health program at the Department
of Defense. These and other health insurance or provider programs
operated by the federal government are subject to requirements placed
on covered entities under this proposed rule, including, but not
limited to, those outlined in Section D of the impact analysis. While
many of these federal programs already afford privacy protections for
individual health information through the Privacy Act, this rule is
expected to create additional requirements beyond those covered by
existing Privacy Act rule. Further, we anticipate that most federal
health programs will, to some extent, need to modify their existing
Privacy Act practices to fully comply with this rule.
    The cost to federal programs that function as health plans will be
generally the same as those for the private sector. The primary
difference is the expectation that systems compliance costs may be
higher due to the additional burden of compliance and oversight costs.
    A unique cost to the federal government will be in the area of
enforcement. The Office of Civil Rights (OCR), located at the
Department of Health and Human Services, has the primary responsibility
to monitor and audit covered entities. OCR will monitor and audit
covered entities in both the private and government sectors, will
ensure compliance with requirements of this rule, and will investigate
complaints from individuals alleging violations of their privacy
rights. In addition, OCR will be required to recommend penalties and
other remedies as part of their enforcement activities. These
responsibilities represent an expanded role for OCR. Beyond OCR, the
enforcement provisions of this rule will have additional costs to the
federal government through increased litigation, appeals, and inspector
general oversight.
    Examples of other unique costs to the federal government include
such activities as public health surveillance at the Centers for
Disease Control and Prevention, health research projects at the Agency
for Health Care Policy and Research, clinical trials at the National
Institutes of Health, and law enforcement investigations and
prosecutions by the Federal Bureau of Investigations. For these and
other activities, federal agencies will incur some costs to ensure that
protected health information is handled and tracked in ways that comply
with the requirements of this title. A preliminary analysis of these
activities suggests that the federal cost will be on the order of $31
million. We are currently in the process of refining these estimates
and will include better information on them in the final rule.
Costs to State Governments
    The proposed rule will also have a cost effect on various state
agencies that administer programs that require the use of individual
health information. State agencies or programs clearly affected by the
rule are those that meet the definition of a covered entity. The costs
when government entities are serving as providers are included in the
total cost estimates. However, non-covered agencies or programs that
handle medical information, either under permissible exceptions to the
disclosure rules or through an individual's expressed authorization,
will likely incur some costs complying with provisions of this rule.
Samples of state agencies encompassed by the broad scope of this rule
include the: Medicaid, Children's Health Insurance program at the
Department of Health and Human Services.
    We have included state costs in the estimation of total costs. The
greatest cost and administrative burden on the state government will
fall to agencies and programs that act as covered entities, by virtue
of being either a health plan or provider. Examples include the
Medicaid, Children's Health Insurance program at the Department of
Health and Human Services. These and other health insurance or provider
programs operated by state government are subject to requirements
placed on covered entities under this proposed rule, including, but not
limited to, those outlined in Section D of the impact analysis. While
many of these state programs already afford privacy protections for
individual health information through the Privacy Act, this rule is
expected to create additional requirements beyond those covered by

[[Page 60019]]

existing Privacy Act rule. Further, we anticipate that most state
health programs will, to some extent, need to modify their existing
Privacy Act practices to fully comply with this rule.
    The cost to state programs that function as health plans will be
different than the private sector, much as the federal costs vary from
private plans. A preliminary analysis suggests that state costs will be
on the order of $90 million over five years. We will refine the
estimates for the state government costs for enforcement, research and
other distinct state government functions in the final rule. We welcome
comment by state and local governments which will help the Department
improve its analysis on these state costs.

F. Benefits

    As we have discussed in the preamble, there are important societal
benefits associated with improving health information privacy.
Confidentiality is a key component of trust between patients and
providers, and some studies indicate that a lack of privacy may deter
patients from obtaining preventive care and treatment. <SUP>21</SUP>
For these reasons, traditional approaches to estimating the value of a
commodity cannot fully capture the value of personal privacy. It may be
difficult for individuals to assign value to privacy protection because
most individuals view personal privacy as a right. Because we promote
the view that privacy protection is an important personal right, the
benefits of the proposed regulation are impossible to estimate based on
the market value of health information alone. However, it is possible
to evaluate some of the benefits that may accrue to individuals as a
result of proposed regulation, and these benefits, alone, suggest that
the regulation is warranted. Added to these benefits is the intangible
value of privacy, the personal security that we may feel when our
records are confidential, which is very real and very significant but
for which there is no economic value or proxy.
---------------------------------------------------------------------------

    \21\ Equifax-Harris Consumer Privacy Survey, 1994.
---------------------------------------------------------------------------

    There are a number of ways to discuss the expected benefits of this
proposed regulation. The first option is to discuss the benefits
qualitatively. We believe that this is necessary to give the reader a
basic understanding of how this proposed regulation will benefit
society. The second option that we have used is to quantify the
benefits of the proposed rule as they would apply to a few illness
categories that may be particularly responsive to privacy concerns.
This quantitative discussion is meant to be illustrative of the
benefits rather than a comprehensive accounting of all of the benefits
of the proposed rule. The combination of the two approaches clearly
illustrates that the benefits of the regulation are significant in
relation to the economic costs.
    Before beginning our discussion of the benefits, it is important to
create a framework for how the costs and benefits may be viewed in
terms of individuals rather than societal aggregates. We have estimated
the value an insured individual would need to place on increased
privacy to make the proposed Privacy regulation a net benefit to those
who receive health insurance. Our estimates are derived from data
produced by the 1998 Current Population Survey from the Census Bureau,
and report that 220 million persons are covered by either private or
public health insurance. Joining the Census Bureau data with cost
assumptions calculated in Section E, we have estimated the cost of the
proposed regulation is $3.41 per insured individual. If we assume that
individuals who use the health care system will be willing to pay more
than $3.41 per year (or approximately $0.28 per month) to improve
health information privacy, the benefits of the proposed regulation
will outweigh the cost.
    This is a conservative estimate of the number of people who will
benefit from the regulation because it assumes that only those
individuals who have health insurance will use medical services or
benefit from the provisions of the proposed regulation. Currently,
there are 44 million Americans who do not have any form of health care
insurance. In addition, the estimates do not include those who pay for
medical care directly, without any insurance or government support. By
lowering the number of users in the system, we have inflated our
estimate of the per-person cost of the regulation, therefore, we assume
that our estimate represents the highest cost to an individual.
    An alternative approach to determining how people would have to
value increased privacy for this regulation to be beneficial is to look
at the costs divided by the number of encounters with health care
professionals annually. Data from the Medical Expenditure Panel Survey
(MEPS) produced by the Agency for Health Care Policy Research (AHCPR)
report approximately 1.62 billion health care visits, or encounters
annually (e.g., office visits, hospital and nursing home stays, etc.).
As with our calculation of average annual cost per insured patient, we
have divided the total cost of complying with the regulation ($751
million per year) by the total annual number of health care encounters.
The cost of instituting requirements of the proposed regulation is
$0.46 per health care encounter. If we assume that individuals would be
willing to pay more than $0.46 per health care encounter to improve
health information privacy, the benefits of the proposed regulation
will outweigh the cost.
Qualitative Discussion
    A well designed privacy standard can be expected to build
confidence among the public about the confidentiality of their medical
records. The seriousness of public concerns about privacy in general
are shown in the 1994 Equifax-Harris Consumer Privacy Survey, where
``84 percent of Americans are either very or somewhat concerned about
threats to their personal privacy.'' <SUP>22</SUP> A 1999 report,
``Promoting Health and Protecting Privacy'' notes ``* * * many people
fear their personal health information will be used against them: to
deny insurance, employment, and housing, or to expose them to unwanted
judgements and scrutiny.'' <SUP>23</SUP> These concerns would be partly
allayed by the privacy standard. Further, increased confidence will
increase the likelihood of some people seeking treatment for particular
classes of disease. It will also change the dynamic of current
payments. Insured patients currently paying out-of-pocket for
confidentiality reasons will be more likely to file with their insurer.
The increased utilization that would result from increased confidence
in privacy could be beneficial under many circumstances. For many
medical conditions, early treatment can lead to lower costs.
---------------------------------------------------------------------------

    \22\ Consumer Privacy Survey, Harris-Equifax, 1994, p. vi.
    \23\ Promoting Health: Protecting Privacy, California Health
Care Foundation and Consumers Union, January 1999, p. 12.
---------------------------------------------------------------------------

    Fear of disclosure of treatment is an impediment to health care for
many Americans. In the 1993 Harris-Equifax Health Information Privacy
Survey, 7 percent of respondents said they or a member of their
immediate family had chosen not to seek medical services due to fear of
harm to job prospects or other life opportunities. About 2 percent
reported having chosen not to file an insurance claim because of
concerns with privacy or confidentiality. <SUP>24</SUP> Increased
confidence on the part of patients that their privacy would be
protected would lead to increased

[[Page 60020]]

treatment among people who delay or never begin care, as well as among
people who receive treatment but pay directly (to the extent that the
ability to use their insurance benefits will reduce cost barriers to
more complete treatment).
---------------------------------------------------------------------------

    \24\ Health Information Privacy Survey, Harris-Equifax, 1993,
pp. 49-50.
---------------------------------------------------------------------------

    The following are four examples of areas where increased confidence
in privacy would have significant benefits. They were chosen both
because they are representative of widespread and serious health
problems, and because they are areas where reliable and relatively
complete data are available for this kind of analysis. The logic of the
analysis, however, applies to any health condition. Even for relatively
minor conditions, an individual still might be concerned with
maintaining privacy, and even a person with no significant health
problems is going to value privacy because of the possibility at some
time they will have a condition that they want to keep private.
    Cancer. The societal burden of disease imposed by cancer is
indisputable. Cancer is the second leading cause of death in the
US,<SUP>25</SUP> exceeded only by heart disease. In 1999, 1.38 million
new cancer cases will be diagnosed, as well as 900,000 new basal and
squamous skin cell cancers. <SUP>26</SUP> The National Cancer Institute
estimates that the overall cost of cancer is $104 billion; $35 billion
in direct medical cost, $12 billion for morbidity costs (cost of lost
productivity) and $57 billion for mortality costs.<SUP>27</SUP>
---------------------------------------------------------------------------

    \25\ American Cancer Society. http://4a2z.com/cgi/
rfr.cgi?4CANCER-2-http://www.cancer.org/frames.html
    \26\ American Cancer Society. http://www.cancer.org/statistics/
97cff/97facts.html
    \27\ American Cancer Society. http://www.cancer.org/statistics/
97cff/97facts.html
---------------------------------------------------------------------------

    Among the most important elements in the fight against cancer are
screening, early detection and treatment of the disease. However,
however, many patients are concerned that some screening procedures
will make them vulnerable to discrimination by insurers or employers.
These privacy concerns have been cited as a reason patients do not seek
early treatment for diseases such as cancer. As a result of forgoing
early screening, cancer patients may ultimately face a more severe
illness. For example, half of new diagnoses occur among types of cancer
for which screening is available. Based on this research, studies show
that if Americans participated in regular cancer screening, the rate of
survival among patients who have screening-accessible cancers could
increase to 95 percent.<SUP>28</SUP>
---------------------------------------------------------------------------

    \28\ American Cancer Society. http://www.cancer.org/statistics/
97cff/97facts.html
---------------------------------------------------------------------------

    Approximately 184,300 women will be diagnosed with breast cancer
this year,<SUP>29</SUP> and 25,000 women will be diagnosed with ovarian
cancer.<SUP>30</SUP> In the same year, almost 44,000 women will die of
breast cancer,<SUP>31</SUP> and 14,500 will die from ovarian
cancer.<SUP>32</SUP> Early detection of these cancers could have a
significant impact on reducing loss due to disability and death. For
example, only 24 percent of ovarian cancers are diagnosed in the early
stages. Of these, approximately 90 percent of patients survive
treatment. The survival rate of women who detect breast cancer early is
similarly high; more than 90 percent of women who detect and treat
breast cancer in its early stages will survive.<SUP>33</SUP>
---------------------------------------------------------------------------

    \29\ Avon's Breast Cancer Crusade. http://www.pmedia.com/Avon/
library/faq.html
    \30\ Ovarian Cancer National Alliance. http://
www.ovariancancer.org/index.shtml
    \31\ Cancer Statistics, 1999, Landis, Murray, Bolden and Wingo.
CA: A Cancer Journal for Clinicians, Jan/Feb, 1999, Vol. 49, No. 1
    \32\ Ovarian Cancer National Alliance. http://
www.ovariancancer.org/index.shtml
    \33\ Breast Cancer Information Service. http://trfn.clpgh.org/
bcis/FAQ/facts2.html
---------------------------------------------------------------------------

    Researchers have developed screening techniques to identify breast,
ovarian, and colon cancers, and tests have been developed to identify
the presence or absence of cellular abnormalities that may lead to
cancer. Despite these technological advances, the principle of patient
autonomy requires that patients must decide for themselves if they will
submit to screening procedures. Many individuals fear that employers
and insurers will use cancer screening to discriminate against them.
Several studies illustrate that persons with and without cancer fear
discrimination. Thus, despite the potential benefits that early
identification of cancer may yield, many researchers find that patient
concerns regarding the confidentiality of cancer screening may prevent
them from requesting the test, and result in disability or loss of
life.
    HIV/AIDS. Early detection is essential for the health and survival
of an HIV (Human Immunodeficiency Virus) positive person. Concerns
about the confidentiality of HIV status may prevent some people from
getting tested. For this reason, each state has passed some sort of
legislation regarding the confidentiality of HIV status. However, HIV
status can be revealed indirectly through disclosure of HAART (Highly
Active Anti-Retroviral Therapy) or similar HIV treatment drug use. In
addition, since HIV/AIDS (Acquired Immune Deficiency Syndrome) is often
the only specially protected condition, ``blacked out'' information on
medical charts could indicate HIV positive status.<SUP>34</SUP>
Strengthening privacy protections beyond this disease could increase
confidence in privacy regarding HIV as well. Drug therapy for HIV
positive persons has proven to be a life-extending, cost-effective
tool. <SUP>35</SUP> A 1998 study showed that beginning treatment with
HAART in the early asymptomatic stage is more cost-effective than
beginning it late. After five years, only 15 percent of patients with
early treatment are estimated to develop an ADE (AIDS-defining event),
whereas 29 percent would if treatment began later. Early treatment with
HAART prolongs survival (adjusted for quality of life) by 6.2 percent.
The overall cost-effectiveness of early HAART treatment is estimated at
$23,700 per quality-adjusted year of life saved.<SUP>36</SUP>
---------------------------------------------------------------------------

    \34\ Promoting Health: Protecting Privacy, California Health
Care Foundation and Consumers Union, January 1999, p. 13.
    \35\ For example, Roger Detels, M.D., et al., in ``Effectiveness
of Potent Anti-Retroviral Therapy * * * ``JAMA, 1998; 280: 1497-1503
note the impact of therapy on HIV persons with respect to
lengthening the time to development of AIDS, not just delaying death
in persons who already have AIDS.
    \36\ John Hornberger et al, ``Early treatment with Highly Active
Anti-Retroviral Therapy (HAART) is cost-effective compared to
delayed treatment,'' 12th World AIDS conference, 1998.
---------------------------------------------------------------------------

    Other Sexually Transmitted Diseases. It is difficult to know how
many people are avoiding testing for STDs despite having a sexually
transmitted disease. A 1998 study by the Kaiser Family Foundation found
that the incidence of disease was 15.3 million in 1996, though there is
great uncertainty due to under-reporting.<SUP>37</SUP> For a
potentially embarrassing disease such as an STD, seeking treatment
requires trust in both the provider and the health care system for
confidentiality. Greater trust should lead to more testing and greater
levels of treatment. Earlier treatment for curable STDs can mean a
decrease in morbidity and the costs associated with complications.
These include expensive fertility problems, fetal blindness, ectopic
pregnancies, and other reproductive complications.<SUP>38</SUP> In
addition, there could be greater overall savings if earlier treatment
translates into reduced spread of infections.
---------------------------------------------------------------------------

    \37\ Sexually Transmitted Diseases in America, Kaiser Family
Foundation, 1998. p. 12.
    \38\ Standard Medical information; see http://www.mayohealth.org
for examples.
---------------------------------------------------------------------------

    Substance Abuse and Mental Health Treatment. When individuals have
a better understanding of the privacy practices that we are requiring
in this proposed rule, some will be less reluctant to seek substance
abuse and mental health treatment. One way that individuals will
receive this information is through the notice requirement.

[[Page 60021]]

Increased use of mental health services would be expected to be
beneficial to the persons receiving the care, to their families, and to
society at large. The individual direct benefit from treatment would
include an improved quality of life, reduced disability associated with
the mental conditions, and a reduced mortality rate. The benefit to
families would include quality of life improvements and reduced medical
costs for other family members associated with abusive behavior by the
treated individual. The benefit to society would include reduced costs
of crime and reduced future public program treatment costs.
    The 1998 Substance Abuse and Mental Health Statistics Source Book
from SAMHSA reports cost-of-disease estimates from a range of studies,
suggesting several hundred billion dollars of non-treatment costs
associated with alcohol, drug, and mental (ADM) disorders. As an
example of the magnitude of costs associated with mental health
treatment, a 1997 National Institutes of Health report suggests that
the total economic cost of mental health disorders such as anxiety,
depressive (mood) disorders, eating disorders, and schizophrenia is
approximately $115.5 billion annually.<SUP>39</SUP> Evidence suggests
that appropriate treatment of mental health disorders can result in 50-
80 percent of individuals experiencing improvements in these types of
conditions. Improvements in patient functioning and reduced hospital
stays could result in hundreds of million of dollars in cost savings
annually.
---------------------------------------------------------------------------

    \39\ Disease-Specific Estimates of Direct and Indirect Costs of
Illness and NIH Support; 1997 Update, 1997.
---------------------------------------------------------------------------

    The potential additional economic benefits associated with
improving patient confidentiality and thus encouraging some unknown
portion of individuals to either seek initial mental health treatment
or increase service use are difficult to quantify well. Nevertheless,
one can lay out a range of possible benefit levels to illustrate the
possibility of cost savings associated with an expansion of mental
health treatment to individuals who, due to protections offered by the
privacy regulation, might seek mental health treatment that they
otherwise would not have absent this regulation. This can be
illustrated by drawing upon existing data on both the economic costs of
mental illness and the treatment effectiveness of mental health
interventions.
    Although figures on the number of individuals who avoid mental
health treatment due to privacy concerns do not exist, some indirect
evidence is available. A 1993 Harris-Equifax Health Information Privacy
Survey (noted earlier) found that 7 percent of respondents reported
that they or a member of their immediate family had chosen not to seek
services for a physical or mental health condition due to fear of harm
to job prospects or other life opportunities. It should be noted that
this survey is somewhat dated and represents only one estimate.
Moreover, given the wording of the question, there are other reasons
aside from privacy concerns that led these individuals to respond
positively.
    For the purpose of an illustration, however, assumptions can be
made about what proportion of the 7 percent responding affirmatively to
this question may have avoided seeking mental health services due to
privacy concerns. Given the proportion of mental health services that
compromise total health care services in this country, a reasonable
upper limit of the number of individuals avoiding mental health
treatment due to privacy concerns might be 1.8 percent (i.e., 25% of
7%), while a reasonable lower limit might be 0.36 percent (i.e., 5% of
7%). Taking these figures as upper and lower limits, it is possible to
estimate potential benefits by multiplying these figures by the annual
economic cost reductions associated with treatment effectiveness rates.
For example, using the upper limit of 1.8 percent, multiplying this by
the annual economic costs of mental illness ($115.5 billion) and a
treatment effectiveness rate of 80 percent, yields an estimate of
potential annual benefits of $1,663,200,000. Similarly, using the upper
limit of 1.8 percent coupled with a treatment effectiveness rate of 50
percent yields an estimate of potential annual benefits of
$1,039,500,000. Assuming a lower limit of 0.36 percent more individuals
seeking mental health treatment due to enhance privacy protections,
coupled with a treatment effectiveness rate of 80% yields an estimate
of potential annual benefits of $332,640,000. Similarly, using the
lower limit of 0.36 percent coupled with a treatment effectiveness rate
of 50 percent yields an estimate of potential annual benefits of
$207,900,000. Therefore, given the existing data on the annual economic
costs of mental illness and the rates of treatment effectiveness for
these disorders, coupled with assumptions regarding the percentage of
individuals who might seek mental health treatment under conditions of
greater privacy protections, the potential additional economic benefit
in this one treatment area could range from approximately $208 million
to $1.67 billion annually.

  Table 3.--Potential Benefits of the Proposed Privacy Regulation From
     Cost Savings Due to Early Treatment of Mental Health Disorders
------------------------------------------------------------------------
                                        Total annual    Percent net cost
                                      economic cost of    reduction if
               Illness                  illness  (in     additional care
                                          billions)        is received
------------------------------------------------------------------------
Mental Health--Anxiety Disorders....             $46.6             70-90
Mental Health--Depressive (Mood)                  30.4             60-80
 Disorders..........................
Mental Health--Eating Disorders.....               6.0             40-60
Mental Health--Schizophrenia........              32.5             60-85
                                     -----------------------------------
    Total...........................             115.5               N/A
------------------------------------------------------------------------

[[Page 60022]]

G. Examination of Alternative Approaches

1. Creation of De-identified Information  (164.506(d))
    We considered defining ``individually identifiable health
information'' as any information that is not anonymous, that is, for
which there is any possibility of identifying the subject. We rejected
this option, for several reasons. First, the statute suggests a
different approach. The term ``individually identifiable health
information'' is defined in HIPAA as health information that:

* * * identifies the individual, or with respect to which there is a
reasonable basis to believe that the information can be used to
identify the individual.

By including the modifier ``reasonable basis,'' Congress appears to
reject the absolute approach to defining ``identifiable.'' Covered
entities would not always have the statistical sophistication to know
with certainty when sufficient identifying information has been removed
so that the record is no longer identifiable. We believe that covered
entities need more concrete guidance as to when information will and
will not be ``identifiable'' for purposes of this regulation.
    Defining non-identifiable to mean anonymous would require covered
entities to comply with the terms of this regulation with respect to
information for which the probability of identification of the subject
is very low. We want to encourage covered entities and others to remove
obvious identifiers or encrypt them whenever possible; use of the
absolute definition of ``identifiable'' would not promote this salutary
result.
    For these reasons, we propose at Sec. 164.506(d)(2)(ii) that there
be a presumption that, if specified identifying information is removed
and if the holder has no reason to believe that the remaining
information can be used by the reasonably anticipated recipients alone
or in combination with other information to identify an individual,
then the covered entity would be presumed to have created de-identified
information.
    At the same time, in proposed Sec. 164.506(d)(2)(iii), we are
leaving leeway for more sophisticated data users to take a different
approach. We are including a ``reasonableness'' standard so that
entities with sufficient statistical experience and expertise could
remove or code a different combination of information, so long as the
result is still a low probability of identification. With this
approach, our intent is to provide certainty for most covered entities,
while not limiting the options of more sophisticated data users.
    In this rule we are proposing that covered entities and their
business partners be permitted to use protected health information to
create de-identified health information. Covered entities would be
permitted to further use and disclose such de-identified information in
any way, provided that they do not disclose the key or other mechanism
that would enable the information to be re-identified, and provided
that they reasonably believe that such use or disclosure of de-
identified information will not result in the use or disclosure of
protected health information. See proposed Sec. 164.506(d)(1). This
means that a covered entity could not disclose de-identified
information to a person if the covered entity reasonably believes that
the person would be able to re-identify some or all of that
information, unless disclosure of protected health information to such
person would be permitted under this proposed rule. In addition, a
covered entity could not use or disclose the key to coded identifiers
if this rule would not permit the use or disclosure of the identified
information to which the key pertains. If a covered entity re-
identifies the de-identified information, it may only use or disclose
the re-identified information consistent with these proposed rules, as
if it were the original protected health information.
    We invite comment on the approach that we are proposing and on
whether alternative approaches to standards for entities determining
when health information can reasonably be considered no longer
individually identifiable should be considered.
2. General Rules (Sec. 164.506)
    As a general rule, we are proposing that protected health
information not be used or disclosed by covered entities except as
authorized by the individual who is the subject of such information or
as explicitly provided this rule. Under this proposal, most uses and
disclosures of an individual's protected health information would not
require explicit authorization by the individual, but would be
restricted by the provisions of the rule. Covered entities would be
able to use or disclose an individual's protected health information
without authorization for treatment, payment and health care
operations. See proposed Sec. 164.506(a)(1)(i). Covered entities also
would be permitted to use or disclose an individual's protected health
information for specified public and public policy-related purposes,
including public health, research, health oversight, law enforcement,
and use by coroners. Covered entities would be permitted by this rule
to use and disclose protected health information when required to do so
by other law, such as a mandatory reporting requirement under State law
or pursuant to a search warrant. See proposed Sec. 164.510. Covered
entities would be required by this rule to disclose protected health
information for only two purposes: to permit individuals to inspect and
copy protected health information about them (see proposed
Sec. 164.514) and for enforcement of this rule (see proposed
Sec. 164.522(d)).
    Covered entities of all types and sizes would be required to comply
with the proposed privacy standards outlined below. The proposed
standards would not impose particular mechanisms or procedures that
covered entities must adopt to implement the standards. Instead, we
would require that each affected entity assess its own needs and
devise, implement, and maintain appropriate privacy policies,
procedures, and documentation to address its business requirements. How
each privacy standard would be satisfied would be a business decision
that each entity would have to make. This permits the privacy standards
to establish a stable baseline, yet remain flexible enough to take
advantage of developments and methods for protecting privacy that will
evolve over time.
    Because the privacy standards would need to be implemented by all
covered entities, from the smallest provider to the largest, multi-
state health plan, a single approach to implementing these standards
would be neither economically feasible nor effective in safeguarding
health information privacy. For example, in a small physician practice
the office manager might be designated to serve as the privacy official
as one of many duties (see proposed Sec. 164.518(a)) whereas at a large
health plan, the privacy official may constitute a full time position
and have the regular support and advice of a privacy staff or board.
    In taking this approach, we intend to strike a balance between the
need to maintain the confidentiality of protected health information
and the economic cost of doing so. Health care entities must consider
both aspects in devising their solutions. This approach is similar to
the approach we proposed in the Notice of Proposed Rulemaking for the
administrative simplification security and electronic signature
standards.

[[Page 60023]]

3. Use and Disclosure for Treatment, Payment, and Health Care
Operations  (Sec. 164.506(a))
    We are proposing that, subject to limited exceptions for
psychotherapy notes and research information unrelated to treatment
discussed below, a covered entity be permitted to use or disclose
protected health information without individual authorization for
treatment, payment or health care operations.
    We are not proposing to require individual authorizations of uses
and disclosures for health care and related purposes, although such
authorizations are routinely gathered today as a condition of obtaining
health care or enrolling in a health plan. Although many current
disclosures of health information are made pursuant to individual
authorizations, these authorizations provide individuals with little
actual control over their health information. When an individual is
required to sign a blanket authorization at the point of receiving care
or enrolling for coverage, that consent is often not voluntary because
the individual must sign the form as a condition of treatment or
payment for treatment. Individuals are also often asked to sign broad
authorizations but are provided little or no information about how
their health information would be or will in fact be used. Individuals
cannot make a truly informed decision without knowing all the possible
uses, disclosures and re-disclosures to which their information will be
subject. In addition, since the authorization usually precedes creation
of the record, the individual cannot predict all the information the
record could contain and therefore cannot make an informed decision as
to what would be released.
    Our proposal is intended to make the exchange of protected health
information relatively easy for health care purposes and more difficult
for purposes other than health care. For individuals, health care
treatment and payment are the core functions of the health care system.
This is what they expect their health information will be used for when
they seek medical care and present their proof of insurance to the
provider. Consistent with this expectation, we considered requiring a
separate individual authorization for every use or disclosure of
information but rejected such an approach because it would not be
realistic in an increasingly integrated health care system. For
example, a requirement for separate patient authorization for each
routine referral could impair care, by delaying consultation and
referral as well as payment.
    We therefore propose that covered entities be permitted to use and
disclose protected health information without individual authorization
for treatment and payment purposes, and for related purposes that we
have defined as health care operations. For example, providers could
maintain and refer to a medical record, disclose information to other
providers or persons as necessary for consultation about diagnosis or
treatment, and disclose information as part of referrals to other
providers. Providers also could use a patient's protected health
information for payment purposes such as submitting a claim to a payer.
In addition, providers could use a patient's protected health
information for health care operations, such as use for an internal
quality oversight review. We would note that, in the case of an
individual where the provider has agreed to restrictions on use or
disclosure of the patient's protected health information, the provider
would be bound by such restrictions as provided in Sec. 164.506(c).
    We also propose to prohibit covered entities from seeking
individual authorization for uses and disclosures for treatment,
payment and health care operations unless required by State or other
applicable law. As discussed above in section II.C, such authorizations
could not provide meaningful privacy protections or individual control
and could in fact cultivate in individuals erroneous understandings of
their rights and protections.
    The general approach that we are proposing is not new. Some
existing State health confidentiality laws permit disclosures without
individual authorization to other health care providers treating the
individual, and the Uniform Health-Care Information Act permits
disclosure ``to a person who is providing health-care to the patient''
(9 Part I, U.L.A. 475, 2-104 (1988 and Supp. 1998)). We believe that
this approach would be the most realistic way to protect individual
confidentiality in an increasingly data-driven, electronic and
integrated health care system. We recognize, however, that particularly
given the limited scope of the authority that we have under this
proposed rule to reach some significant actors in the health care
system, that other approaches could be of interest. We invite comments
on whether other approaches to protecting individuals' health
information would be more effective.
4. Minimum Necessary Use and Disclosure (Sec. 164.506(b))
    We propose that, except as discussed below, a covered entity must
make all reasonable efforts not to use or disclose more than the
minimum amount of protected health information necessary to accomplish
the intended purpose of the use or disclosure, taking into
consideration technological limitations.
    Under this proposal, covered entities generally would be required
to establish policies and procedures to limit the amount of protected
health care information used or disclosed to the minimum amount
necessary to meet the purpose of the use or disclosure, and to limit
access to protected health information only to those people who need
access to the information to accomplish the use or disclosure. With
respect to use, if an entity consists of several different components,
the entity would be required to create barriers between components so
that information is not used inappropriately. The same principle
applies to disclosures.
    A ``minimum necessary'' determination would need to be consistent
with and directly related to the purpose of the use or disclosure and
take into consideration the ability of a covered entity to delimit the
amount of information used or disclosed and the relative burden imposed
on the entity. The proposed minimum necessary requirement is based on a
reasonableness standard: covered entities would be required to make
reasonable efforts and to incur reasonable expense to limit the use and
disclosure of protected health information as provided in this section.
    In our discussions of the minimum necessary requirement, we
considered whether or not this should apply to all entities and whether
or not it should be applied to all protected health information. We
decided that the principle of minimum necessary disclosure is critical
to the protection of privacy and that because small entities represent
83 percent of the health care industry, we would not exempt them from
this provision without undermining its effectiveness.
    We understand that the requirements outlined in this section do not
create a bright line test for determining the minimum necessary amount
of protected health information appropriate for most uses or
disclosures. Because of this lack of precision, we considered
eliminating the requirement altogether. We also considered merely
requiring covered entities to address the concept within their internal
privacy

[[Page 60024]]

procedures, with no further guidance as to how each covered entity
would address the issue. These approaches were rejected because
minimizing both the amount of protected health information used and
disclosed within the health care system and the number of persons who
have access to such information is vital if we are to successfully
enhance the confidentiality of people's personal health information. We
invite comments on the approach that we have adopted and on alternative
methods of implementing the minimum necessary principle.
5. Right To Restrict Uses and Disclosures  (Sec. 164.506(c))
    We propose to permit in Sec. 164.506(c) that individuals be able to
request that a covered entity restrict further uses and disclosures of
protected health information for treatment, payment, or health care
operations, and if the covered entity agrees to the requested
restrictions, the covered entity could not make uses or disclosures for
treatment, payment or health care operations that are inconsistent with
such restrictions, unless such uses or disclosures are mandated by law.
This provision would not apply to health care provided to an individual
on an emergency basis.
    We should note that there is nothing in this proposed rule that
would require a covered entity to agree to a request to restrict, or to
treat or provide coverage to an individual requesting a restriction
under this provision. Covered entities who do not wish to, or due to
contractual obligations cannot, restrict further use or disclosure are
not obligated to agree to a request under this provision.
    We considered providing individuals substantially more control over
their protected health information by requiring all covered entities to
attempt to accommodate any restrictions on use and disclosure requested
by patients. We rejected this option as unworkable. While industry
groups have developed principles for requiring patient authorizations,
we have not found widely accepted standards for implementing patient
restrictions on uses or disclosures. Restrictions on information use or
disclosure contained in patient consent forms are sometimes ignored
because they may not be read or are lost in files. Thus, it seems
unlikely that a requested restriction could successfully follow a
patient's information through the health care system--from treatment to
payment, through numerous operations, and potentially through certain
permissible disclosures. Instead we would limit the provision to
restrictions that have been agreed to by the covered entity.
    We recognize that the approach that we are proposing could be
difficult because of the systems limitations described above. However,
we believe that the limited right for patients proposed in this
proposed rule can be implemented because it only applies in instances
in which the covered entity agrees to the restrictions. We assume that
covered entities would not agree to restrictions that they are unable
to implement.
    We considered limiting the rights under this provision to patients
who pay for their own health care (or for whom no payment was made by a
health plan). Individuals and providers that engage in self-pay
transactions have minimal effect on the rights or responsibilities or
payers or other providers, and so there would be few instances when a
restriction agreed to in such a situation would have negative
implications for the interests of other health care actors. Limiting
the right to restrict to self-pay patients also would reduce the number
of requests that would be made under this provision. We rejected this
approach, however, because the desire to restrict further uses and
disclosures arises in many instances other than self-pay situations.
For example, a patient could not want his or her records shared with a
particular physician because that physician is a family friend. Or an
individual could be seeking a second opinion and may not want his or
her treating physician consulted. Individuals have a legitimate
interest in restricting disclosures in these situations. We solicit
comment on the appropriateness of limiting this provision to instances
in which no health plan payment is made on behalf of the individual.
6. Application to Business Partners  (Sec. 164.506(e))
    In Sec. 164.506(e), we propose to require covered entities to take
specific steps to ensure that protected health information disclosed to
a business partner remains protected. We intend these provisions to
allow customary business relationships in the health care industry to
continue while providing privacy protections to the information shared
in these relationships. Business partners would not be permitted to use
or disclose protected health information in ways that would not be
permitted of the covered entity itself under these rules.
    Other than for purposes of consultation or referral for treatment,
we would allow covered entities to disclose protected health
information to business partners only pursuant to a written contract
that would, among other specified provisions, limit the business
partner's uses and disclosures of protected health information to those
permitted by the contract, and would impose certain security,
inspection and reporting requirements on the business partner. We would
hold the covered entity responsible for certain violations of this
proposed rule made by their business partners, and require assignment
of responsibilities when a covered entity acts as a business partner of
another covered entity.
    Under this proposed rule, a business partner would be acting on
behalf of a covered entity, and we propose that its use or disclosure
of protected health information be limited to the same extent that the
covered entity for whom they are acting would be limited. Thus, a
business partner could have no more authority to use or disclose
protected health information than that possessed by the covered entity
from which the business partner received the information. We would note
that a business partner's authority to use and disclose protected
health information could be further restricted by its contract with a
covered entity, as described below.
    We are not proposing to require the business partners of covered
entities to develop and distribute a notice of information practices,
as provided in proposed Sec. 164.512. A business partner would,
however, be bound by the terms of the notice of the covered entity from
which it obtains protected health information. See proposed
Sec. 164.506(e). We are proposing this approach so that individuals
could rely on the notices that they receive from the covered entities
to which they disclose protected health information. If the business
partners of a covered entity were able to make wider use or make more
disclosures than the covered entity, the patients or enrollees of the
covered entity would have difficulty knowing how their information was
being used and to whom it was being disclosed.
    We are also proposing that a business partner's use and disclosure
of protected health information be limited by the terms of the business
partner's contractual agreement with the covered entity. We propose
that a contract between a covered entity and a business partner could
not grant the business partner authority to make uses or disclosures of
protected health information that the covered entity itself would not
have the authority to make. The contract between a covered entity and a
business partner could further limit the business partner's authority
to

[[Page 60025]]

use or disclose protected health information as agreed to by the
parties. Further, the business partner would have to apply the same
limitations to its subcontractors (or persons with similar
arrangements) who assist with or carry out the business partner's
activities.
    To help ensure that the uses and disclosures of business partners
are limited to those recognized as appropriate by the covered entities
from whom they receive protected health information, subject to the
exception discussed below, we are proposing that covered entities be
prohibited from disclosing protected health information to a business
partner unless the covered entity has entered into a written contract
with the business partner that meets the requirements of this
subsection. See proposed Sec. 164.506(e)(2)(i).
    The contract requirement that we are proposing would permit covered
entities to exercise control over their business partners' activities
and provides documentation of the relationship between the parties,
particularly the scope of the uses and disclosures of protected health
information that business partners could make. The presence of a
contract also would formalize the relationship, better assuring that
key questions such as security, scope of use and disclosure, and access
by subject individuals are adequately addressed and that the roles of
the respective parties are clarified. Finally, a contract can bind the
business partner to return any protected health information from the
covered entity when the relationship is terminated.
    In lieu of a contracting requirement, we considered imposing only
affirmative duties on covered entities to ensure that their
relationships with business partners conformed to the standards
discussed in the previous paragraph. Such an approach could be
considered less burdensome and restrictive, because we would be leaving
it to the parties to determine how to make the standards effective. We
rejected this approach primarily because we believe that in the vast
majority of cases, the only way that the parties could establish a
relationship with these terms would be through contract. We also
determined that the value of making the terms explicit through a
written contract would better enable the parties to know their roles
and responsibilities, as well as better enable the Secretary to
exercise her oversight role. In addition, we understand that most
covered entities already enter into contracts in these situations and
therefore this proposal would not disturb general business practice. We
invite comment on whether there are other contractual or non-
contractual approaches that would afford an adequate level of
protection to individuals' protected health information. We also invite
comment on the specific provisions and terms of the proposed approach.
    We are proposing one exception to the contracting requirement: when
a covered entity consults with or makes a referral to another covered
entity for the treatment of an individual, we would propose that the
sharing of protected health information pursuant to that consultation
or referral not be subject to the contracting requirement described
above. See proposed Sec. 164.506(e)(1)(i). Unlike most business partner
relationships, which involve the systematic sharing of protected health
information under a business relationship, consultation and referrals
for treatment occur on a more informal basis among peers, and are
specific to a particular individual. Such exchanges of information for
treatment also appear to be less likely to raise concerns about further
impermissible use or disclosure, because providers receiving such
information are unlikely to have a commercial or other interest in
using or disclosing the information. We invite comment on the
appropriateness of this exception, and whether there are additional
exceptions that should be included in the final regulation.
    We note that covered health care providers receiving protected
health information for consultation or referral purposes would still be
subject to this rule, and could not use or disclose such protected
health information for a purpose other than the purpose for which it
was received (i.e., the consultation or referral). Further, we note
that providers making disclosures for consultations or referrals should
be careful to inform the receiving provider of any special limitations
or conditions to which the disclosing provider has agreed to impose
(e.g., the disclosing provider has provided notice to its patients that
it will not make disclosures for research).
    We are proposing that covered entities be accountable for the uses
and disclosures of protected health information by their business
partners. A covered entity would be in violation of this rule if the
covered entity knew or reasonably should have known of a material
breach of the contract by a business partner and it failed to take
reasonable steps to cure the breach or terminate the contract. See
proposed Sec. 164.506(e)(2)(iii). A covered entity that is aware of
impermissible uses and disclosures by a business partner would be
responsible for taking such steps as are necessary to prevent further
improper use or disclosures and, to the extent practicable, for
mitigating any harm caused by such violations. This would include, for
example, requiring the business partner to retrieve inappropriately
disclosed information (even if the business partner must pay for it) as
a condition of continuing to do business with the covered entity. A
covered entity that knows or should know of impermissible use of
protected health information by its business partner and fails to take
reasonable steps to end the breach would be in violation of this rule.
    We considered requiring covered entities to terminate relationships
with business partners if the business partner committed a serious
breach of contact terms required by this subpart or if the business
partner exhibited a pattern or practice of behavior that resulted in
repeated breaches of such terms. We rejected that approach because of
the substantial disruptions in business relationships and customer
service when terminations occur. We instead require the covered entity
to take reasonable steps to end the breach and mitigate its effects. We
would expect covered entities to terminate the arrangement if it
becomes clear that a business partner cannot be relied upon to maintain
the privacy of protected health information provided to it. We invite
comments on our approach here and whether requiring automatic
termination of business partner contracts would be warranted in any
circumstances.
    We also considered imposing more strict liability on covered
entities for the actions of their business partners, just as principals
are strictly liable for the actions of their agents under common law.
We decided, however, that this could impose too great a burden on
covered entities, particularly small providers. We are aware that, in
some cases, the business partner will be larger and more sophisticated
with respect to information handling than the covered entity. Therefore
we instead opted to propose that covered entities monitor use of
protected health information by business partners, and be held
responsible only when they knew or should have known of improper use of
protected health information.
    Our intention in this section is to recognize the myriad of
business relationships that currently exist and to ensure that when
they involve the exchange of protected health information, the roles
and responsibilities of the different parties with respect to the
protected health

[[Page 60026]]

information are clear. We do not propose to fundamentally alter the
types of business relationships that exist in the health care industry
or the manner in which they function. We request comments on the extent
to which our proposal would disturb existing contractual or other
arrangements among covered entities and business partners.
7. Application to Information About Deceased Persons (Sec. 164.506(f))
    We are proposing that information otherwise protected by these
regulations retain that protection for two years after the death of the
subject of the information. The only exception that we are proposing is
for uses and disclosures for research purposes.
    HIPAA includes no temporal limitations on the application of the
privacy protections. Although we have the authority to protect
individually identifiable health information maintained by a covered
entity indefinitely, we are proposing that the requirements of this
rule generally apply for only a limited period, as discussed below. In
traditional privacy law, privacy interests, in the sense of the right
to control use or disclosure of information about oneself, cease at
death. However, good arguments exist in favor both of protecting and
not protecting information about the deceased. Considering that one of
the underlying purposes of health information confidentiality is to
encourage a person seeking treatment to be frank in the interest of
obtaining care, there is good reason for protecting information even
after death. Federal agencies and others sometimes withhold sensitive
information, such as health information, to protect the privacy of
surviving family members. At the same time, perpetual confidentiality
has serious drawbacks. If information is needed for legitimate
purposes, the consent of a living person legally authorized to grant
such consent must be obtained, and the further from the date of death,
the more difficult it may be to identify the person. The administrative
burden of perpetual protection may eventually outweigh the privacy
interests served.
    While various State laws have been passed specifically addressing
privacy of genetic information, there is currently no federal
legislation that deals with these issues. We considered extending the
two-year period for genetic and hereditary information, but were unable
to construct criteria for protecting the possible privacy interests of
living children without creating extensive burden for information
holders and hampering health research. We invite comments on whether
further action is needed in this area and what types of practical
provisions may be appropriate to protect genetic and hereditary health
information.
8. Uses and Disclosures With Individual Authorization (Sec. 164.508)
    Covered entities would be required to obtain individual
authorization to use individually identifiable health information for
purposes other than those allowed under the rule. Activities requiring
authorization include, for example, marketing. Costs will be ongoing
for staffing and administrative activities related to obtaining
authorization from individuals.
    Our proposal is based on the precept that a combination of strict
limits on how covered entities can use and disclose protected health
information, adequate notice to individuals about how their information
will be used, and guaranteeing individuals' rights to inspect, copy and
amend their health records will provide patients with better privacy
protection and more effective control over their information than
alternative approaches to privacy protection.
    This section addresses the requirements that we are proposing when
protected health information is disclosed pursuant to the individual's
explicit authorization. The regulation would require that covered
entities have authorization from individuals before using or disclosing
their protected health information for any purpose not otherwise
recognized by this regulation. Circumstances where an individual's
protected health information could be used or disclosed without
authorization are discussed in connection with proposed Secs. 164.510
and 164.522 below.
    This section proposes different conditions governing such
authorizations in two situations in which individuals commonly
authorize covered entities to disclose information:
    <bullet> Where the individual initiates the authorization because
he or she wants a covered entity to disclose his or her record, and
    <bullet> Where a covered entity asks an individual to authorize it
to disclose or use information for purposes other than treatment,
payment or health care operations.
    The requirements proposed in this section are not intended to
interfere with normal uses and disclosures of information in the health
care delivery or payment process, but only to allow control of uses
extraneous to health care. The restrictions on disclosure that the
regulation would apply to covered entities may mean that some existing
uses and disclosures of information could take place only if the
individual explicitly authorized them under this section.
    We considered requiring a uniform set of requirements for all
authorizations, but concluded that it would be appropriate to treat
authorizations initiated by the individual differently from
authorizations sought by covered entities. There are fundamental
differences, in the uses of information and in the relationships and
understandings among the parties, in these two situations. When
individuals initiate authorizations, they are more likely to understand
the purpose of the release and to benefit themselves from the use or
disclosure. When a covered entity asks the individual to authorize
disclosure, we believe the entity should make clear what the
information will be used for, what the individual's rights are, and how
the covered entity would benefit from the requested disclosure.
    We are proposing several requirements that would have to be met in
the authorization process when the individual has initiated the
authorization. We understand that the requirements that we are imposing
here would make it quite unlikely that an individual could actually
initiate a completed authorization, because few individuals would know
to include all of these elements in a request for information. In most
instances, individuals authorize a use or disclosure by completing a
form provided by a third party, either the ultimate recipient of the
information (who may have a form authorizing them to obtain the records
from the record holders) or a health care provider or health plan
holding the records (who may have a form that documents a request for
the release of records to a third party). For this reason, we do not
believe that our proposal would create substantial new burdens on
individuals or covered entities in cases when an individual is
initiating an authorized release of information. We invite comment on
whether we are placing new burdens on individuals or covered entities.
We also invite comment on whether the approach that we have proposed
provides sufficient protection to individuals who seek to have their
protected health information used or disclosed.
    We are proposing that when covered entities initiate the
authorization by asking individuals to authorize disclosure, the
authorization be required to include all of the items required above as
well as several additional items. We are proposing additional

[[Page 60027]]

requirements when covered entities initiate the request for
authorization, because in many cases it could be the covered entity,
and not the individual, that achieves the primary benefit of the
disclosure. We considered permitting covered entities to request
authorizations with only the basic features proposed for authorizations
initiated by the individual, for the sake of simplicity and
consistency. However, we believe that additional protections are
merited when the entity that provides or pays for health care requests
authorizations to avert possible coercion.
    We also acknowledge that there will be costs related to moving away
from a blanket authorization system. These costs will be discussed more
explicitly in the sections on allowable disclosures (both with and
without authorization).
    Covered entities and third parties that wish to have information
disclosed to them will prepare forms for individuals to use to
authorize use or disclosure. A model authorization form is displayed in
Appendix A to this proposed rule. We considered presenting separate
model forms for the two different types of authorizations (initiated by
the individual and not initiated by the individual). However, this
approach could be subject to misuse and be confusing to covered
entities and individuals, who may be unclear as to which form is
appropriate in specific situations. The model in the appendix
accordingly is a unitary model, which includes all of the requirements
for both types of authorization. By following such a model, covered
entities, particularly small entities, could avoid the legal and
administrative expenses that would be necessary to develop an
authorization form that complies with the rule's requirements. The
proposed rule does not prevent entities from developing or modifying
their own authorization forms. The alternative to providing this model
was to simply state that an authorization would be required and allow
entities to develop the authorization independently. While we would
specify some information required in the authorization in this
alternative, we would not give an actual form. This was considered to
be an unnecessary burden for entities.
    Finally, we are proposing that an individual be permitted to revoke
an authorization at any time except to the extent that action has been
taken in reliance on the authorization. See proposed Sec. 164.508(e).
9. Uses and Disclosures Permitted Without Individual Authorization
(Sec. 164.510)
    This section describes uses and disclosures of protected health
information that covered entities could make for purposes other than
treatment, payment, and health care operations without individual
authorization, and the conditions under which such uses and disclosures
could be made. We propose to allow covered entities to use or disclose
protected health information without individual authorization for such
purposes if the use or disclosure would comply with the applicable
requirements of this section.
    Covered entities could need to reevaluate and modify their
operating procedures to comply with the proposed rule's prohibition on
disclosing individually identifiable health information without patient
authorization for any purpose other than treatment, payment, health
care operations, or those situations explicitly identified as
permissible disclosures under this proposed rule. Many entities could
already do this. Entities that do not do this would need to alter
information management systems and implement administrative policies
and procedures to prevent inappropriate disclosures. Entities would
also have to determine whether or not an authorization is necessary for
each disclosure beyond treatment, payment, and health care operations
that is not explicitly defined as a permissible disclosure under this
proposed rule. It should be noted that the minimum necessary principle
is an important component of the costs related to any disclosure. We
expect that there would be significant initial and ongoing costs.
    If an entity chooses to disclose protected health information
without authorization from individuals, there would be a number of new
provisions that it would have to comply with. For example, if a
disclosure is to researchers outside of the organization, the entity
must obtain written documentation indicating that the research has been
approved by an institutional review board (IRB) or equivalent process
by a privacy board. This requirement is associated with ongoing
administrative costs. We note that any such costs are optional unless
other requirements (state laws, mandatory reporting systems, etc.)
mandate these disclosures. In order to minimize the burden of these
costs for mandatory disclosures, we have tried to apply as few business
partner requirements as possible in areas where these mandatory
disclosures are possible. However, in cases where the disclosure is
optional, entities would have higher costs if they choose to use these
disclosures. We expect that entities would consider these costs before
making any such disclosure and determine if the benefits to their
business of disclosure are greater than the costs related to making the
disclosure. Additionally, other than the new requirements for
disclosures for research, most of the disclosures are simply
recognizing current practices and would not require large new costs.
    We considered permitting uses and disclosures only where law
affirmatively requires the covered entity to use or disclose protected
health information. However, because the activities described below are
so important to the population as a whole, we decided to permit a
covered entity to use or disclose information to promote those
activities even when such activities are not legally mandated. In some
cases, however, we would permit a use or disclosure only when such use
or disclosure is authorized by other law. The requirements for
verification of legal authority are discussed in section II.G.3.
    Disclosures that are required by current law would only require
minimal additional costs to entities. The only cost directly
attributable to this proposed requirement would be the additional cost
of noting these disclosures on the accounting of uses and disclosures.
    However, disclosures required by this proposed regulation should be
considered new costs. These mandatory disclosures would be extremely
rare. For example, we expect that the Department would limit the number
of compliance audits conducted. In these cases, some of the more
expensive activities, including the minimum necessary principle and
determining whether or not to make the disclosure, would not be
applicable.
    We would restrict the discussion of discretionary disclosures to
the general principles behind such disclosures rather than a detailed
description of each allowable disclosure. More elaborate discussion of
options for individual classes of disclosures can be found in the
preamble. These disclosures are optional disclosures and therefore, any
costs related to making these disclosures would incur optional costs.
We do not have a complete understanding of how often these disclosures
are currently made, nor do we understand what procedures are currently
in place. We also do not understand how often these disclosures would
be made given the new costs associated with such disclosures. Note

[[Page 60028]]

that the degree of new costs imposed if an entity opts to use a
disclosure varies dramatically depending on the type of disclosure. For
example, a disclosure of directory information in a hospital would
probably not involve significant additional costs, while research that
is not subject to the common could would have significant new costs
involved. These disclosures, and thus these costs, are optional under
this proposed rule. While they may be mandated under other law, such
mandated disclosures are already being made, so there would be no
additional costs. In this case there are only marginal new costs
related to these disclosures.
10. Clearinghouses and the Rights of Individuals
    The rights described below would apply with respect to protected
health information held by health care providers and health plans. We
are proposing that clearinghouses not be subject to all of these
requirements. We believe that as business partners of covered plans and
providers, clearinghouses would not usually initiate or maintain direct
relationships with individuals. The contractual relationship between a
clearinghouse (as a business partner) and a covered plan or provider
would bind the clearinghouse to the notice of information practices
developed by the plan or provider and it would include specific
provisions regarding inspection, copying, amendment and correction.
Therefore, we do not believe that clearinghouses should be required to
provide a notice or provide access for inspection, copying, amendment
or correction. We would require clearinghouses to provide an accounting
of any disclosures for purposes other than treatment, payment and
health care operations to individuals upon request. See proposed
Sec. 164.515. It is our understanding that the vast majority of the
clearinghouse function falls within the scope of treatment, payment,
and health care operations and therefore we do not believe providing
this important right to individuals would impose a significant burden
on the industry. We invite comment on whether or not we should require
clearinghouses to comply with all of the provisions of the individual
rights section.
11. Rights and Procedures for a Written Notice of Information Practices
(Sec. 164.512)
    We are proposing that individuals have a right to an adequate
notice of the information practices of covered plans and providers. The
notice would be intended to inform individuals about what is done with
their protected health information and about any rights they may have
with respect to that information. Federal agencies must adhere to a
similar notice requirement pursuant to the Privacy Act of 1974 (5
U.S.C. 552a(e)(3)).
    We are not proposing that business partners (including health care
clearinghouses) be required to develop a notice of information
practices because, under this proposed rule, they would be bound by the
information practices of the health plan or health care provider with
whom they are contracting.
    The rule requires covered entities to prepare and make available a
notice that informs patients about their privacy rights and the
entity's actions to protect privacy. Entities that do not already
comply with the rule's requirements would incur one-time legal and
administrative costs in preparing and making the notice available. In
addition, plans would incur ongoing costs related to the dissemination
of the notice at least once every three years, and all covered entities
would have ongoing costs related to preparation of new notices as
disclosure practices change, dissemination to new individuals who
receive services, and requests for copies of the notice. Entities would
also incur ongoing costs related to answering questions stemming from
the notice. In addition to requiring a basic notice, we considered
requiring a longer more detailed notice, that would be available to
individuals on request. However, we decided that making information
available on request, and letting the covered entity decide how best to
provide such information, is a more balanced approach. We felt that it
would be overly burdensome to all entities, especially small entities,
to require two notices.
    We considered requiring covered plans or providers to obtain a
signed copy of the notice form (or some other signed indication of
receipt) when they give the form to individuals. There are advantages
to including such a requirement. A signed acknowledgment would provide
evidence that the notice form has been provided to the individual.
Further, the request to the individual to formally acknowledge receipt
would highlight the importance of the notice, providing additional
encouragement for the individual to read it and ask questions about its
content.
    We are concerned, however, that requiring a signed acknowledgment
would significantly increase the administrative and paperwork burden of
this provision. We also are unsure of the best way for health plans to
obtain a signed acknowledgment because plans often do not have face-to-
face contact with enrollees. It may be possible to collect an
acknowledgment at initial enrollment, for example by adding an
additional acknowledgment to the enrollment form, but it is less clear
how to obtain it when the form is revised. We solicit comment on
whether we should require a signed acknowledgment. Comments that
address the relative advantages and burdens of such a provision would
be most useful. We also solicit comment on the best way to obtain
signed acknowledgments from health plans if such a provision is
included in the final rule. We also solicit comments on other
strategies, not involving signed acknowledgments, to ensure that
individuals are effectively informed about the information practices of
covered plans or providers.
    We believe that the proposed rule appropriately balances a
patient's need for information and assurances regarding privacy with
the covered entities' need for flexibility in describing their
operations and procedures to protect patient privacy. Instead of a
model notice, we have included a sample notice to guide the development
of notices. We felt that this would be an appropriate way to reduce the
burden on all entities including those classified as small.
    In Sec. 164.512, we propose the categories of information that
would be required in each notice of information practices, the specific
types of information that would have to be included in each category,
and general guidance as to the presentation of written materials. A
sample notice is provided at Appendix A of this preamble.
    In a separate section of this proposed rule, we would require
covered plans or providers to develop and document policies and
procedures relating to use, disclosure, and access to protected health
information. See proposed Sec. 164.520. We intend for the documentation
of policies and procedures to be a tool for educating the entity's
personnel about its policies and procedures. In addition, the
documentation would be the primary source of information for the notice
of information practices. We intend for the notice to be a tool for
educating individuals served by the covered plan or provider about the
information practices of that entity. The information contained in the
notice would not be as comprehensive as the documentation, but rather
would provide a clear and concise summary of relevant policies and
procedures.

[[Page 60029]]

    We considered prescribing specific language that each covered plan
or provider would include in its notice. The advantages of this
approach would be that the recipient would get exactly the same
information from each covered plan or provider in the same format, and
that it would be convenient for covered plans or providers to use a
uniform model notice.
    There are, however, several disadvantages to this approach. First,
and most important, no model notice could fully capture the information
practices of every covered plan or provider. Large entities would have
different information practices than small entities. Some health care
providers, for example academic teaching hospitals, may routinely
disclose identifiable health information for research purposes. Other
health care providers may rarely or never make such disclosures. To be
useful to individuals, each entity's notice of information practices
should reflect its unique privacy practices.
    Another disadvantage of prescribing specific language is that it
would limit each covered plan or provider's ability to distinguish
itself in the area of privacy protections. We believe that if
information on privacy protections were readily available, individuals
might compare and select plans or providers based on their information
practices. In addition, a uniform model notice could easily become
outdated. As new communication methods or technologies are introduced,
the content of the notices might need to reflect those changes.
    In proposed Sec. 164.512, we would require each covered plan and
provider to include in the notice an explanation of how it uses and
discloses protected health information. The explanation must be
provided in sufficient detail as to put the individual on notice of the
uses and disclosures expected to be made of his or her protected health
information. As explained above in section II.C.7, covered plans and
providers may only use and disclose protected health information for
purposes stated in this notice.
    We considered requiring the notice to include not only a discussion
of the actual disclosure practices of the covered entity, but also a
listing or discussion of all additional disclosures that are authorized
by law. We considered this approach because, under this proposed rule,
covered plans or providers would be permitted to change their
information practices at any time, and therefore individuals would not
be able to rely on the entity's current policies alone to understand
how their protected health information may be used in the future. We
recognize that in order to be fully informed, individuals need to
understand when their information could be disclosed.
    We rejected this approach because we were concerned that a notice
with such a large amount of information could be burdensome to both the
individuals receiving the notices and the entities required to prepare
and distribute them. There are a substantial number of required and
permitted disclosures under State or other applicable law, and this
rule generally would permit them to be made.
    Alternatively, we considered requiring that the notice include all
of the types of permissible disclosures under this rule (e.g., public
health, research, next-of-kin). We rejected that approach for two
reasons. First, we felt that providing people with notice of the
intended or likely disclosures of their protected health information
was more useful than describing all of the potential types of
disclosures. Second, in many States and localities, different laws may
affect the permissible disclosures that an entity may make, in which
case a notice only discussing permissible disclosures under the federal
rule would be misleading. While it would be possible to require covered
plans or providers to develop notices that discuss or list disclosures
that would be permissible under this rule and other law, we were
concerned that such a notice may be very complicated because of the
need to discuss the interplay of federal, State or other law for each
type of permissible disclosure. We invite comments on the best approach
to provide most useful information to the individuals without
overburdening either covered plans or providers or the recipients of
the notices.
    In Sec. 164.520, we are proposing to require all covered entities
to develop and document policies and procedures for the use of
protected health information. The notice would simply summarize those
documented policies and procedures and therefore would entail little
additional burden.
    It is critical to the effectiveness of this proposed rule that
individuals be given the notice often enough to remind them of their
rights, but without overburdening covered plans or providers. We
propose that all covered plans and providers would be required to make
their notice available to any individual upon request, regardless of
whether the requestor is already a patient or enrollee. We believe that
broad availability would encourage individuals or organizations to
compare the privacy practices of plans or providers to assist in making
enrollment or treatment choices. We also propose additional
distribution requirements for updating notices, which would be
different for health plans and health care providers. The requirements
for health plans and health care providers are different because we
recognize that they have contact with individuals at different points
in time in the health care system.
    We considered a variety of combinations of distribution practices
for health plans and are proposing what we believe is the most
reasonable approach. We would require health plans to distribute the
notice by the effective date of the final rule, at enrollment, within
60 days of a material change to the plan's information practices, and
at least once every three years.
    We considered requiring health plans to post the notice either in
addition to or instead of distribution. Because most individuals rarely
visit the office of their health plan, we do not believe that this
would be an effective means of communication. We also considered either
requiring distribution of the notice more or less frequently than every
three years. As compared to most health care providers, we believe that
health plans often are larger and have existing administrative systems
to cost effectively provide notification to individuals. Three years
was chosen as a compromise between the importance of reminding
individuals of their plans' information practices and the need to keep
the burden on health plans to the minimum necessary to achieve this
objective. We are soliciting comment on whether requiring a notice
every three years is reasonable for health plans.
    We propose to require that covered health care providers provide a
copy of the notice to every individual served at the time of first
service delivery, that they post the notice in a clear and prominent
location where it is reasonable to expect individuals seeking service
from the provider to be able to read the notice, and that copies be
available on-site for individuals to take with them. In addition, we
propose to require that covered health care providers provide a copy of
the notice to individuals they are currently serving at their first
instances of service delivery within a year of the effective date of
the final rule.
    We would not require providers to mail or otherwise disseminate
their notices after giving the notice to individuals at the time of the
first service delivery. Providers' patient lists may include
individuals they have not

[[Page 60030]]

served in decades. It would be difficult for providers to distinguish
between ``active'' patients, those who are seen rarely, and those who
have moved to different providers. While some individuals would
continue to be concerned with the information practices of providers
who treated them in the distant past, overall the burden of an active
distribution requirement would not be outweighed by improved individual
control and privacy protection.
    If a provider wishes to make a material change in the information
practices addressed in the notice, it would be required to revise its
notice in advance. After making the revision, the provider would be
required to post the new notice promptly. We believe that this approach
creates the minimum burden for providers consistent with giving
individuals a clear source of accurate information.
12. Rights and Procedures for Access for Inspection and Copying
(Sec. 164.514)
    In Sec. 164.514, we are proposing that, with very limited
exceptions, individuals have a right to inspect and copy protected
health information about them maintained by a covered health plan or
health care provider in a designated record set. Individuals would also
have a right of access to protected health information in a designated
record set that is maintained by a business partner of a covered plan
or provider when such information is not a duplicate of the information
held by the plan or provider, including when the business partner is
the only holder of the information or when the business partner has
materially altered the protected health information that has been
provided to it.
    In Sec. 164.506(e), we are proposing that covered plans and
providers include specific terms in their contract with each business
partner. One of the required terms would be that the business partner
must provide for inspection and copying of protected health information
as provided in this section. Because our authority is limited by HIPAA
to the covered entities, we must rely upon covered plans and providers
to ensure that all of the necessary protected health information
provided by the individual to the plan or provider is available for
inspection and copying. We would require covered plans and providers to
provide access to information held in the custody of a business partner
when it is different from information maintained by the covered plan or
provider. We identified two instances where this seemed appropriate:
when the protected health information is only in the custody of a
business partner and not in the custody of the covered plan or
provider; and when protected health information has been materially
altered by a business partner. We are soliciting comment on whether
there are other instances where access should be provided to protected
health information in the custody of a business partner.
    Other than in their capacity as business partners, we are not
proposing to require clearinghouses to provide access for inspection
and copying. As explained above in section II.C.5, clearinghouses would
usually be business partners under this proposed rule and therefore
they would be bound by the contract with the covered plan or provider.
See proposed Sec. 164.506(e). We carefully considered whether to
require clearinghouses to provide access for inspection and copying
above and beyond their obligations as a business partner, but
determined that the typical clearinghouse activities of translating
record formats and batching transmissions do not involve setting up
designated record sets on individuals. Although the data maintained by
the clearinghouse is protected health information, it is normally not
accessed by individual identifier and an individual's records could not
be found except at great expense. In addition, although clearinghouses
process protected health information and discover errors, they do not
create the data and make no changes in the original data. They,
instead, refer the errors back to the source for correction. Thus,
individual access to clearinghouse records provides no new information
to the individual but could impose a significant burden on the
industry.
    We are proposing that covered plans and providers be required to
provide access for as long as the entity maintains the protected health
information. We considered requiring covered plans and providers to
provide access for a specific period or defining a specific retention
period. We rejected that approach because many laws and professional
standards already designate specific retention periods and we did not
want to create unnecessary confusion. In addition, we concluded that
individuals should be permitted to have access for as long as the
information is maintained by the covered plan or provider. We are
soliciting comments on whether we should include a specific duration
requirement in this proposed rule.
    Proposed Sec. 164.514 would permit denial of inspection and copying
under very limited circumstances. The categories of denials would not
be mandatory; the entity could always elect to provide all of the
requested health information to the individual. For each request by an
individual, the entity could provide all of the information requested
or it could evaluate the requested information, consider the
circumstances surrounding the individual's request, and make a
determination as to whether that request should be granted or denied.
We intend to create narrow exceptions to the stated rule of open access
and we would expect covered plans and providers to employ these
exceptions rarely, if at all.
    We considered whether entities should be permitted to deny access
to information based on a number of factors. For more specific
discussion of access denials, please refer to earlier preamble text.
For the purposes of the economic impacts, it is important to note that
these denials are optional and, therefore, any costs associated with
utilizing these denials are optional.
    In Sec. 164.514(c) and (d), we are proposing that covered plans and
providers be required to have procedures that enable individuals to
exercise their rights to inspect and obtain a copy of protected health
information as explained above.
    We considered whether this proposed rule should include detailed
procedures governing a individual's request for inspection and copying.
Because this proposed rule would affect such a wide range of entities,
we concluded that it should only provide general guidelines and that
each entity should have the discretion to develop procedures consistent
with its own size, systems, and operations.
    In Sec. 164.514(d)(2), we are proposing that the covered plans and
providers would take action upon the request as soon as possible but
not later than 30 days following receipt of the request. We considered
the possibility of not including a time limitation but rather imposing
a ``reasonableness'' requirement on the covered plans or providers. We
concluded that the individual is entitled to know when to expect a
response. This is particularly important in the context of health
information, where an individual could need access to his or her
information in order to make decisions about care. Therefore, in order
to determine what would be ``reasonable,'' we examined the time
limitations provided in the Privacy Act, the Freedom of Information Act
(FOIA), and several State laws.
    The Privacy Act requires that upon receipt of a request for
amendment (not access), the agency would send an acknowledgment to the
individual

[[Page 60031]]

within 10 working days. (5 U.S.C. 552a (d)(2)). We considered several
options that included such an acknowledgment requirement. An
acknowledgment would be valuable because it would assure the individual
that their request was received. Despite the potential value of
requiring an acknowledgment, we concluded that it could impose a
significant administrative burden on some of the covered plans and
providers. This proposed rule would cover a wide range of entities with
varying capacities and therefore, we are reluctant to create
requirements that would overwhelm smaller entities or interfere too
much with procedures already in place. We would encourage plans and
providers to have an acknowledgment procedure in place, but would not
require it at this point. We are soliciting comment on whether this
proposed rule should require such an acknowledgment.
    We also considered whether to include specific procedures governing
``urgent'' or ``emergency'' requests. Such procedures would require
covered plans and providers to respond in a shorter time frame. We
recognize that circumstances could arise where an individual would
request inspection and copying on an expedited basis and we encourage
covered plans or providers to have procedures in place for handling
such requests. We are not proposing additional regulatory time
limitations to govern in those circumstances. The 30-day time
limitation is intended to be an outside deadline, rather than an
expectation. Rather, we would expect a plan or provider to always be
attentive to the circumstances surrounding each request and respond in
an appropriate time frame, not to exceed 30 days.
    Finally, we considered including a section governing when and how
an entity could have an extension for responding to a request for
inspection and copying. For example, the FOIA provides that an agency
could request additional time to respond to a request if the agency
needs to search for and collect the requested records from facilities
that are separate from the office processing the request; to search
for, collect, and appropriately examine a voluminous amount of separate
and distinct records; and to consult with another entity or component
having a substantial interest in the determination of the request. We
determined that the criteria established in the FOIA are tailored to
government information systems and therefore could not be appropriate
for plans and providers covered by this proposed rule. Furthermore, we
determined that the 30-day time period would be sufficient for
responding to requests for inspection and copying and that extensions
should not be necessary. We are soliciting comments on whether a
structured extension procedure should be included in this proposed
rule.
    In Sec. 164.514(d)(3), we are proposing that covered plans or
providers be required to notify the individual of the decision to
provide access and of any steps necessary to fulfill the request. In
addition we propose that the entity provide the information requested
in the form or format requested if it is readily producible in such
form or format. Finally, if the covered plan or provider accepts an
individual's request, it would be required to facilitate the process of
inspection and copying.
    In proposed Sec. 164.514(d)(3)(iv), we would permit a covered plan
or provider to charge a reasonable, cost-based fee for copying health
information provided pursuant to this section. We considered whether we
should follow the practice in the FOIA and include a structured fee
schedule. We concluded that the FOIA was developed to reflect the
relatively uniform government costs and that this proposed rule would
apply to a broader range of entities. Depending on the size of the
entity, copying costs could vary significantly. Therefore, we propose
that the entity simply charge a reasonable, cost-based fee.
    In Sec. 164.514(d)(4), we propose that a covered plan or provider
that denies an individual's request for inspection and copying in whole
or in part be required to provide the individual with a written
statement in plain language explaining the reason for the denial. The
statement could include a direct reference to the section of the
regulation relied upon for the denial, but the regulatory citation
alone would not sufficiently explain the reason for the denial. The
statement would need to include the name and number of the contact
person or office within the entity who is responsible for receiving
complaints. In addition, the statement would need to include
information regarding the submission of a complaint with the Department
pursuant to Sec. 164.522(b).
    We considered proposing that covered plans and providers provide a
mechanism for appealing a denial of inspection and copying. We believe,
however, that the requirement proposed in Sec. 164.518(d) that covered
plans and providers have complaint procedures to address patient and
enrollee privacy issues generally would allow the individual to raise
the issue of a denial with the covered plan or provider. We would
expect the complaint procedures to be scalable; for example, a large
plan might develop a standard complaint process in each location where
it operates whereas, a small practice might simply refer the original
request and denial to the clinician in charge for review. We would
encourage covered plans and providers to institute a system of appeals,
but would not require it by regulation. In addition, the individual
would be permitted to file a complaint with the Department pursuant to
Sec. 164.522(b).
13. Rights and Procedures With Respect to an Accounting of Disclosures
(Sec. 164.515)
    In this proposed rule, we propose that individuals have a right to
receive an accounting of all instances where protected health
information about them is disclosed by a covered entity for purposes
other than treatment, payment, and health care operations, subject to
certain time-limited exceptions for disclosures to law enforcement and
oversight agencies as discussed below. Providing such an accounting
would allow individuals to understand how their health information is
shared beyond the basic purposes of treatment, payment and health care
operations.
    We considered whether to require covered entities to account for
all disclosures, including those for treatment, payment and health care
operations. We rejected this approach because it would be burdensome
and because it would not focus on the disclosures of most interest to
individuals. Upon entering the health care system, individuals are
generally aware that their information would be used and shared for the
purpose of treatment, payment and health care operations. They have the
greatest interest in an accounting of circumstances where the
information was disclosed for other purposes that are less easy to
anticipate. For example, an individual might not anticipate that his or
her information would be shared with a university for a research
project, or would be requested by a law enforcement agency.
    We are not proposing that covered entities include uses and
disclosures for treatment, payment and health care operations in the
accounting. We believe that it is appropriate for covered entities to
monitor all uses and disclosures for treatment, payment and health care
operations, and they would be required to do so for electronically
maintained information by the Security Standard. However, we do not
believe that covered entities should be required to provide an
accounting of the uses and disclosures for treatment payment and health
care operations.

[[Page 60032]]

    This proposed rule would not specify a particular form or format
for the accounting. In order to satisfy the accounting requirement, a
covered entity could elect to maintain a systematic log of disclosures
or it could elect to rely upon detailed record keeping that would
permit the entity to readily reconstruct the history when it receives a
request from an individual. We would require that covered entities be
able to respond to a request for accounting within a reasonable time
period. In developing the form or format of the accounting, covered
entities should adopt policies and procedures that would permit them to
respond to requests within the 30-day time period in this proposed
rule.
    We also considered whether or not the disclosure history should be
a formal document that is constantly maintained or whether we should
give more flexibility to entities in this regard. We decided that since
our ultimate goal is that individuals have access to a disclosure
history of their records upon request, it would be reasonable to
require only that they be able to do this. We are not prescribing how
they fulfill the requirement. We also believe that it is less
burdensome to require that they be able to create a disclosure history
than to require that they have a specific format for maintaining a
disclosure history.
    We are proposing that the accounting include all disclosures for
purposes other than treatment, payment, and health care operations,
subject to certain exceptions for disclosures to law enforcement and
oversight agencies, discussed below. This would also include
disclosures that are authorized by the individual. The accounting would
include the date of each disclosure; the name and address of the
organization or person who received the protected health information;
and a brief description of the information disclosed. For all
disclosures that are authorized by the individual, we are proposing
that the covered entity maintain a copy of the authorization form and
make it available to the individual with the accounting.
    We considered whether the accounting of disclosures should include
the name of the person who authorized the disclosure of information.
The proposed Security Standard would require covered entities to have
an audit mechanism in place to monitor access by employees. We
concluded that it would be unnecessary and inappropriate to require the
covered entity to include this additional information in the
accounting. If the individual identifies an improper disclosure by an
entity, he or she should hold the entity not the employee of the entity
accountable. It is the responsibility of the entity to train its
workforce about its policies and procedures for the disclosure of
protected health information and to impose sanctions if such policies
and procedures are violated.
14. Rights and Procedures for Amendment and Correction  (Sec. 164.516)
    This proposed rule would provide an individual with the right to
request a covered plan or provider to amend or correct protected health
information relating to the individual. A covered plan or provider
would be required to accommodate requests with respect to any
information that the covered plan or provider determines to be
erroneous or incomplete, that was created by the plan or provider, and
that would be available for inspection and copying under proposed
Sec. 164.514.
    We are concerned about the burden that requests for amendment or
correction could place on covered plans and providers and have tried to
limit the process to those situations where amendment or correction
would appear to be most important. We invite comment on whether our
approach reasonably balances burden with adequately protecting
individual interests.
    We propose to require a covered plan or provider to accommodate a
request for amendment or correction if the plan or provider created the
information in dispute. We considered requiring covered plans and
providers to amend or correct any erroneous or incomplete information
it maintains, regardless of whether it created the information. Under
this approach, if the plan or provider did not create the information,
then it would have been required to trace the information back to the
original source to determine accuracy and completeness. We rejected
this option because we concluded that it would not be appropriate to
require the plan or provider that receives a request to be responsible
for verifying the accuracy or completeness of information that it did
not create. We also were concerned about the burden that would be
imposed on covered plans and providers if they were required to trace
the source of any erroneous or incomplete information transmitted to
them.
    We would rely on a combination of three other requirements to
ensure that protected health information remains as accurate as
possible as it travels through the health care system. First, we are
proposing that a covered plan or provider that makes an amendment or
correction be required to notify any relevant persons, organizations,
or other entities of the change or addition. Second, we are proposing
that other covered plans or providers that receive such a notification
be required to incorporate the necessary amendment or correction.
Finally, we are proposing that covered plans or providers require their
business partners who receive such notifications to incorporate any
necessary amendments or corrections. See the discussion in section
II.F.4. We are soliciting comments whether this approach would
effectively ensure that amendments and corrections are communicated
appropriately.
    We are proposing that covered plans and providers be required to
accommodate requests for amendment or correction for as long as the
entity maintains the protected health information. We considered
requiring covered plans and providers to accommodate requests for a
specific period or defining a specific retention period. We rejected
that approach because many laws and professional standards already
designate specific retention periods and we did not want to create
confusion. In addition, we concluded that individuals should be
permitted to request amendments or corrections for as long as the
information is maintained by the covered plan or provider. We are
soliciting comments on whether we should include a specific duration
requirement in this proposed rule.
    In Sec. 164.516, we are proposing that covered plans and providers
be required to have procedures that enable individuals to exercise
their rights to request amendment or correction, including a means by
which individuals could request amendment or correction of protected
health information about them. We considered whether this proposed rule
should include detailed procedures governing an individual's request.
But as with the procedures for requesting inspection and copying, we
are only providing a general requirement and permitting each plan or
provider to develop procedures in accordance with its needs. Once the
procedures are developed, the plan or provider would document them in
accordance with section Sec. 164.520 and include a brief explanation in
the notice that is provided to individuals pursuant to section
Sec. 164.512.
    We are proposing that the covered plan or provider would take
action on a request for amendment or correction as quickly as the
circumstances require, but not later than 60 days following the

[[Page 60033]]

request. The justification for establishing a time limitation for
amendment and correction is virtually identical to that provided for
the time limitation for inspection and copying. We concluded that the
entity should be provided with some additional flexibility in this
context. Depending on the nature of the request, an amendment or
correction could require significantly more time than a request for
inspection and copying. If a covered plan or provider needed more than
30 days to make a decision, we would encourage, but not require, it to
send an acknowledgment of receipt to the individual including an
explanation of the reasons for the delay and a date when the individual
could expect a final decision.
    In Sec. 164.516(c)(3), we are proposing that, upon accepting an
amendment or correction, the covered plan or provider would be required
to make reasonable efforts to notify relevant persons, organizations,
or other entities of the change or addition. An entity would be
required to notify such persons that the individual identifies, or that
the covered plan or provider identifies as (1) a recipient of the
erroneous or incomplete information, and (2) a person who:
    <bullet> Has relied upon that information to the detriment of the
individual; or
    <bullet> Is a person who could foreseeably rely on such erroneous
or incomplete information to the detriment of the individual.
    We are concerned about the potential burden that this notification
requirement would impose on covered plans and providers. We do not,
however, anticipate that a significant number of requests would be
submitted to any entity and therefore the need for such notifications
would be rare. In addition, we determined that because health
information can travel so quickly and efficiently in the modern health
care system, the need for notification outweighed the potential burden.
It is important to note that a reasonableness standard should be
applied to the notification process--if the recipient has not relied
upon the erroneous or incomplete information to the detriment of the
individual or if it is not foreseeable that the recipient would do so,
then it would not be reasonable for the covered plan or provider to
incur the time and expense of notification. If, however, if the
incorrect information is reasonably likely to be used to the detriment
of the individual, the entity should make every effort to notify the
recipients of the information of the changes as quickly as possible.
    We discussed a number of options regarding the notification of
other entities. We considered only requiring that the entity provide
the individual with a listing of who else could have received the
information. This would place the burden of notification in the hands
of the individual rather than the entity. Because individuals would not
have the same contacts and relationship with other entities as the
original covered entity, we decided that placing the burden on
individuals would be more cumbersome for both individuals and the
secondary entities receiving the requests. We also considered not
including a notification requirement. However, this would mean that
individuals would need to both figure out where the information had
gone to and make separate requests for amendment or correction to every
entity. This also appeared to be overly difficult. We believe that the
option we are proposing is fair to both individuals and covered
entities.
    In proposed Sec. 164.516(c)(4), we would require a covered plan or
provider to provide the individual with a written statement in plain
language of the reason for the denial and permit the individual to file
a written statement of disagreement with the decision to deny the
request.
    If the individual chooses to file a statement of disagreement, then
the covered plan or provider must retain a copy of the statement with
the protected health information in dispute. The covered plan or
provider could require that the statement be a reasonable length,
provided that the individual has reasonable opportunity to state the
nature of the disagreement and offer his or her version of accurate and
complete information. In all subsequent disclosures of the information
requested to be amended or corrected, the covered plan or provider
would be required to include a copy of its statement of the basis for
denial and, if provided by the individual, a copy of his or her
statement of disagreement. If the statement submitted by the individual
is unreasonably long, the covered plan or provider could include a
summary in subsequent disclosures which reasonably explains the basis
of the individual's position. The covered plan or provider would also
be permitted to provide a rebuttal to the individual's statement of
disagreement and include the rebuttal statement in any subsequent
disclosures.
    We considered requiring the covered plan or provider to provide a
mechanism for appealing denials of amendment or correction but
concluded that it would be too burdensome. We are soliciting comment on
whether the approach we have adopted reasonably balances the burdens on
covered plans or providers with the rights of individuals.
    If a covered plan or provider receives a notification of erroneous
or incomplete protected health information as provided in proposed
Sec. 164.516(d), we are proposing that the covered plan or provider or
be required to make the necessary amendment or correction to protected
health information in its custody that would be available for
inspection and copying. This affirmative duty to incorporate amendments
and corrections would be necessary to ensure that individuals'
protected health information is as accurate and complete as possible as
it travels through the health care system.
15. Administrative Requirements (Sec. 164.518)
    We propose that covered entities be required to implement five
basic administrative requirements to safeguard protected health
information: Designation of a privacy official, the provision of
privacy training, establishment of safeguards, a complaint process, and
establishment of sanctions. Implementation of these requirements would
vary depending on a variety of different factors such as type of entity
(e.g., provider or plan), size of entity (e.g., number of employees,
number of patients), the level of automation within the entity (e.g.,
electronic medical records), and organization of the entity (e.g.,
existence of an office of information systems, affiliation with a
medical school).
a. Designation of a Privacy Official (Sec. 164.518(a))
    In proposed Sec. 164.518(a), we would require covered entities to
designate an employee or other person to serve as the official
responsible for the development of policies and procedures for the use
and disclosure of protected health information. The designation of an
official would focus the responsibility for development of privacy
policy.
    We considered whether covered entities should be required to
designate a single official or an entire board. We concluded that a
single official would better serve the purposes of focusing the
responsibility and providing accountability within the entity. The
implementation of this requirement would depend on the size of the
entity. For example, a small physician's practice might designate the
office manager as the privacy official, and he or she would assume this
as one of his or her broader administrative responsibilities. A large
entity might appoint a person whose sole

[[Page 60034]]

responsibility is privacy policy, and he or she might choose to convene
a committee representing several different components of the entity to
develop and implement privacy policy.
b. Training (Sec. 164.518(b))
    In proposed Sec. 164.518(b), we would require covered entities to
provide training on the entities policies and procedures with respect
to protected health information. Each entity would be required to
provide initial training by the date on which this proposed rule
becomes applicable. After that date, each covered entity would have to
provide training to new members of the workforce within a reasonable
time period after joining the entity. In addition, we are proposing
that when a covered entity makes material changes in its privacy
policies or procedures, it would be required to retrain those members
of the workforce whose duties are directly