Back | WordPerfect Version | ASCII Version | PDF Version
David L. Hemond
Connecticut Law Revision Commission
Room 509A
State Capitol
Hartford, CT 06106-1591
(860) 240-0220
FAX: (860) 240-0322
David.Hemond@PO.STATE.CT.US
To: Members of the Drafting Committee to Revise the Uniform Health Care Information Act
From: David L. Hemond, Reporter
Re: Subject matter comparison of proposed Uniform Act and Federal Regulations
Date: January 31, 2000
For purposes of the next committee meeting scheduled for February 25 through 27 and in response to a request from King Burnett, I prepared the following analysis comparing the committee draft of the Uniform Act (Act) with the proposed federal regulations (Regulations) promulgated by the Department of Health and Human Services. I generally use the section numbers from the Uniform Act to structure the report. Matters covered by the Regulations but not by the Act are reviewed in the latter part of the analysis.
The Committee needs to confront a threshold issue of what role the Regulation preemption rules, if implemented as proposed, leave for a uniform act. The report begins with a discussion of federal preemption and the scope of the respective laws, and reviews whether a default uniform state law such as the Uniform Act remains relevant. There is, in short, a serious question as to how to proceed if the Regulations as proposed become effective. The tentative effective date of the Regulations is February 21, 2000, although the date may be extended in light of an extension made to the comment period.
Preemption
Sections 160.201 through 160.203 of the Regulations set out criteria for preemption of state law. The general rule, set out in section 160.203, is that "A standard, requirement, or implementation specification adopted under or pursuant to [the Regulations] that is contrary to a provision of State law preempts the provision of state law." There are essentially four exceptions to preemption:
(1) The Secretary determines that the provision of state law (a) is necessary to prevent fraud and abuse, ensure appropriate state regulation of insurance and health plans, report on health care delivery or costs, or for purposes related to improving Medicare, Medicaid or the efficiency and effectiveness of the health care system; or (b) addresses controlled substances;
(2) the state law relates to the privacy of health information and is more stringent than a standard, requirement, or implementation specification of the Regulation;
(3) the state law is established to provide for reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention; or
(4) the state law requires a health plan to report or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.
The terms "contrary" and "more stringent" are defined. Section 160.204 sets out a process for requesting a determination or advisory opinion from the Secretary concerning preemption issues.
The Uniform Act does not fall under the express exceptions to preemption. Like the Regulations, the Act conceptually sets a floor, allowing a state to provide more stringent rules for specified cases and more liberal rules for various public health purposes.
Moreover, the administrative compliance requirements of the Regulations, particularly with respect to safeguards, are significantly more stringent than those of the Act. In areas covered by the Regulations, the Regulations appear to generally preempt most or all of the default state laws currently proposed by the Act.
That generalization does not apply with respect to information that is not covered by the Regulations. The Regulations do have a theoretical gap in coverage. A small health provider such as an individual physician who is not engaged with the mainstream medical community in electronically transmitting data is not directly covered. Similarly, an entity that does not qualify as a "covered entity" under the Regulations and that receives information from such an uncovered physician is similarly exempt.
Such a theoretical gap might provide a rationale for enacting a default state confidentiality law. Comments to the Regulations urge that Congress enact comprehensive legislation and indicate that the Regulation drafters were concerned about the gap in coverage. For example, the promulgators note, at pages 59926-7, section 11, of the commentary set out in the Federal Register, "Although the promise of these proposed standards cannot become reality for many patients because of the gaps in our authority, we believe they would provide important new protections…We continue to believe, however, that federal legislation is the best way to guarantee these protections. The HIPAA legislative authority does not allow full implementation of our recommended policies in this proposed rule. The legislation limits the entities that can be held responsible for their use of protected health information, and the ways in which the covered entities can be held accountable. For these and other reasons, we continue to call upon Congress to pass comprehensive federal privacy legislation."
I have added language to the Act to facilitate its compatibility with the Regulations. I expect, however, that an act drafted specifically to "cover the gap" might look substantially different from what we have proposed. Moreover, notwithstanding the theoretical gap and the comments, I believe that the Regulations effectively cover the field of medicine as it is actually practiced. A provider and any other mainstream health or health insurance entity that handles any covered records is governed, as a "covered entity", by the many administrative safeguard requirements set out by the Regulations. Those administrative requirements include safeguards for any information disseminated to any other party. The general rule set out by section 164.518(c) is that "A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." Comprehensive implementation requirements follow up that rule with specifications governing disclosures. For example, section 164.518(c)(3) requires that "A covered entity must have safeguards to ensure that information is not used in violation of the requirements of this subpart or by members of its workforce or components of the entity or employees or other persons associated with, or components of, its business partners who are not authorized to access the information." Section 164.506 (e) concerning disclosures to business partners, requires that the entity and the partner have entered into a contract prohibiting further unauthorized disclosures. In essence, once covered by the Regulations, the only protected information that will find its way out of the regulatory net appears to be information disclosed pursuant to the express authorization of the patient or under express laws authorizing disclosures for public policy reasons.
The drafters of the Regulations were aware that they were interpreting their mandate broadly. The comments at pages 59927-8, concerning regulatory authority, explain why regulatory requirements are not (as might have been expected) restricted to "electronic information", and note, for example, that "Thus, we believe that the statute authorizes a privacy regulation covering health information in any form or medium maintained or transmitted by a covered entity."
In the real world practice of medicine, with its regulatory framework and the increasing dominance of managed care, health plans, insurance reimbursers, and government health plans, any provider in the mainstream of health care practice will, I think, be forced to comply with these Regulations, which (except as noted) will therefore effectively preempt the field. Because "covered entities" includes all health plans and reimbursers, as a practical matter a provider would have to restrict his practice to self-paying patients and would have to closely hold records in his office to avoid the regulatory reach. In practice, providers will chose to comply with the Regulations, if only to avoid the substantial potential liabilities that might otherwise be incurred. Similarly, a given provider might, in a given context, legally hold information that is not explicitly covered by the Regulations without complying with the Regulations. However, it will be impractical for providers to segregate covered information from information that is not covered and they are therefore likely to subject all of the information to the regulatory requirements. Thus, almost all practitioners will chose to (or will be required to) comply with the Regulations in the modern medical environment.
For this reason, if the Regulations are adopted, serious questions are raised as to how to pursue further work on a state Uniform Act.
The following issues, at least, should be considered.
It is possible that the Regulations will not be enacted in their current form. Implementation of the Regulation administrative standards will require major costs to the health care industry (discussed, with reported benefits, at length in the Regulation commentary) and may be subject to significant opposition. Moreover, they have been promulgated in a field noted more for legislative failures than successes. A viable Uniform Act remains important if the federal government is ultimately unable to both regulate and legislative.
It is also possible that the Regulations will be implemented but that the preemption rules or rules of coverage will be significantly revised. Such an implementation of the Regulations might provide for a larger role for state law. In that case, the Uniform Act might remain viable but require appropriate integrating revisions.
The Regulations have some conceptual weaknesses, particularly with respect to coverage and enforcement. There may be circumstances in which an uncovered entity obtains access to information and has no legal requirement to maintain confidentiality. While the Regulation promulgators sought to preclude that possibility through safeguard requirements and disclosure limitations, the Department of Health and Human Services will be unable to sanction actions by entities outside of its authorization. The Regulations also lack a private right of action to ameliorate whatever weaknesses appear under the agency complaint process. The Committee might wish to act through the Act to address those weak areas of coverage. However, the Act as proposed, which is focused on providers, may have a similar weakness in scope of coverage. Furthermore, efforts to address these matters through state law may be preempted.
Finally, it is possible that the Regulations, which seek to reach broadly beyond electronic transmissions, will be found to have exceeded their statutory authorization. Such a reversal of agency regulations would similarly affect the relevance of a proposed Uniform Act.
In short, I think the Committee has significant threshold issues. The options, of course, include pressing ahead, deferring action to see what transpires with the Regulations, or deferring further action for the time being. Unfortunately, determining the best course given the variety of possible scenarios with the Regulations and with possible Congressional action may require a crystal ball.
In that light, I offer the following, somewhat truncated, analysis.
Section 1-103 Scope
The Act provides blanket default coverage of "health care information" as defined by section 1-105. Health care information is any identifying information that relates to a patient's health care. Health care refers to professional care given, including "preventive, diagnostic, therapeutic, rehabilitative, or palliative care". It includes the sale or dispensing pursuant to a prescription of a drug, device, equipment or other related item. The Act may be preempted by other law with respect to specific classes of information but in the absence of preemption largely covers the field of provider-created identifying patient health information.
The coverage of the Regulations is restricted by its authorizing legislation. Specifically, section 264 of Pub. L. 104-191 requires that the Department of Health and Human Services adopt national standards with respect to the privacy of individually identifiable health information that is electronically transmitted. The authorizing legislation does not provide an explicit basis for regulating beyond core health care entities or for regulating entities that are not engaged in the electronic transmittal of health care information. Thus, under section 160.102, the Regulations apply to a health plan, a health care clearinghouse, and a health care provider who transmits any health information in electronic form in connection with a covered transaction. As noted by the comments to the Regulations, the restrictions on scope place disconcerting limitations on the ability of the Regulations to cover the field. However, the Regulations were drafted to transcend their limitations. Because they cover any information that enters the electronic information stream and because restrictions broadly apply to the regulated entities that deal with any such information, the Regulations will, in fact, govern the bulk of information generated by the mainstream health care/insurance/managed care providers.
Section 1-105 Definitions
The definitions of "health care" vary only in wording.
The Regulation definition of "health information", at section 160.103, is more explicit than the Act definition of "health care information" as to the kinds of information covered. The Act refers to "any information…that identifies or can readily be associated with the identity of a patient and relates to the patient's health care…" The Regulations expressly apply to information created or received by "a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse" that relates to "the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual."
"Health care provider" is defined by the Act to depend on the state licensing law (any person who is licensed to provide health care). The Regulations, in section 160.103, use a definition based on section 1861 of the Social Security Act, but including "any other person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business."
The Act and the Regulations differ in the inclusion of several core definitions.
"Institutional review board" is defined by the Act as a group designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research programs. The Regulations, in section 164.510 (uses and disclosures for which individual authorization is not required), subsection (j) (uses and disclosures for research purposes) refer to boards established in accordance with a number of federal regulations or a privacy board that (A) has members with varying backgrounds and appropriate professional competency as necessary to review the research protocol; (B) Includes at least one member who is not affiliated with the entity conducting the research or related to a person who is affiliated with such entity; and (C) Does not have any member participating in a review of any project in which the member has a conflict of interest.
The Regulations do not define "audit" (Section 1-105(1)).
Section 160.103 of the Regulations defines, and the Act does not, the following:
"Covered entity" - this term refers to the entities that are primarily covered by the Regulations and means a health plan, health care clearinghouse, or health care provider who transmits health information in electronic form.
"Health care clearinghouse" - this term refers to entities that process "nonstandard data elements of health information" into "standard data elements" - in other words an entity that takes the raw treatment transaction and formats it into a code for payment and other purposes.
"Health plan" - this term, at the core of Regulation applicability, brings under regulation auspices all major players in the health insurance and health maintenance fields.
"Small health plan" is defined to allow the Regulations to differentiate the burdens placed on major and minor players.
Section 164.504 of the Regulations defines "business partner", "designated record", "health care operations", "health oversight agency", "law enforcement official", "payment", "individually identifiable health information", "protected health information", "public health authority", "research", "treatment", and other terms. The relevance of some of these definitions is discussed below in the context of their use.
Comment: The definitions of the respective proposals reflect their intended scope and coverage. Decisions on definitions in the Act should be made in the light of intentions as to how the Act will interact with the Regulations.
Section 2-101 Disclosure
Subsection (a) of the Act sets the basic rule that directly covered entities (providers, agents, employees and contractors of a provider) may not disclose health care information to another person without authorization by the patient or through another provision of the Act or of state law. Subsection (b) extends the web of coverage by applying the prohibition on unauthorized disclosure to "a person to whom health care information has been disclosed."
The analogous Regulation is section 164.506 with provides that "A covered entity may not use or disclose an individual's protected health information, except as otherwise permitted or required by this part or as required to comply with applicable requirements of this subchapter."
Comment: The basic rules, as might be expected, are analogous.
Section 2-102 Patient's Authorization
Section 2-102 sets out the Act's process for authorization of a disclosure. To be valid, the authorization must be (1) in writing, dated, and signed, or be in a comparable electronic form, (2) identify the information to be disclosed, (3) identify the person to whom the information is to be disclosed, and (4) include a notice that (a) the information may be used for any purpose unless limited, (b) the authorization expires, within 6 months or such later date, not to exceed 30 months, as specified, (c) the authorization is revocable, and (d) further disclosure by the recipient may be subject to confidentiality requirements.
An authorization under the Act for sale or marketing must be executed separately with a conspicuous statement of its purpose.
Section 164.508 sets out the Regulation requirements for an authorization. The Regulations set out an authorization form use of which is sufficient. Alternatively the authorization must meet the standards of subsections (c) and (d). For a request by an individual, subsection (c) requires:
(1) a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
(2) the name of the covered entity, or class of entities or persons, authorized to make the requested use or disclosure;
(3) the name or other specific identification of the person(s) or entity(ies), which may include the covered entity itself, to whom the covered entity may make the requested use or disclosure;
(4) an expiration date;
(5) signature and date:
(6) if the authorization is executed by a legal representative or other person authorized to act for the individual, a description of his or her authority to act or relationship to the individual;
(7) a statement in which the individual acknowledges that he or she has the right to revoke the authorization, except to the extent that the information has already been released under the authorization;
(8) a statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law.
The Regulation authorization must be in plain language.
If a covered entity makes the request, the authorization must have the following additional elements:
(1) Unless for a clinical trial, a statement that the entity will not condition treatment or payment on the individual's providing authorization for the requested use or disclosure;
(2) a description of the purpose of the requested use or disclosure;
(3) a statement that the individual may inspect or copy the protected information and may
refuse
to sign the authorization; and
(4) where use or disclosure of the information will result in financial gain to the entity, a
statement that such gain will result.
Moreover, in requesting an authorization, a covered entity must:
(1) Have procedures designed to enable it to request only the minimum amount of protected health information necessary to accomplish the purposes for which the request is made; and
(2) provide the person with a copy of the executed authorization.
Comment: The Regulation authorization form and process is more detailed and requires that the patient acknowledge certain rights and limitations. The Committee could consider whether it wishes to include the more elaborate requirements in the Act.
Section 2-103 Patient's revocation of authorization for disclosure
Both the Act and the Regulations, in section 164.508(e), specify the right of an individual to revoke an authorization. The Act makes an exception for disclosure that is required to effectuate payments for health care that has been provided or with respect to health care information that relates to action that has been taken in reliance on the authorization. The Regulation makes an exception where "the covered entity has taken action in reliance thereon."
Comment: The provisions are similar.
Section 2-104 Disclosure without patient's authorization
Both the Act and the Regulations, in section 164.510, provide a broad field of routine health transactions under which express authorization is not required. The federal exemption from the authorization requirement is broader, most notably exempting transactions for payment purposes.
More specifically:
The Act exempts disclosures from the authorization requirement if they are made:
(1) to providers, for the purpose of providing health care to patient, unless the patient has instructed his provider not to make the disclosure;
(2) if necessary to avoid or minimize an imminent danger to the health or safety of the patient or any other individual;
(3) to immediate family members, or any other individual with whom the patient is known to have a close person relationship, if made in accordance with good medical or other professional practice, unless the patient has instructed otherwise;
(4) provided that identifying information is necessary and reasonable assurances are given by the recipient, (a) for health care education, or for planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the provider, or for assisting in the delivery of health care; and (b) for purposes of an audit if the auditor agrees to remove or destroy, at the earliest reasonable opportunity, identifying information and, agrees not to disclose the information further except to accomplish the audit or report improper conduct;
(5) for research purposes approved by an institutional review board and subjected to standards and safeguards;
(6) to an appropriate official of a penal institution.
The Act also allows (a) disclosure of directory information if the person is an inpatient or receiving emergency care, except as instructed by the patient, (b) disclosure to the extent required by law, and (c) disclosure pursuant to compulsory process as provided in section 2-105.
The Regulations govern disclosures that are exempt from individual authorization in sections 164.506 and 164.510.
Section 164.506(a)(1) provides that a covered entity is permitted to disclose protected health information "to carry out treatment, payment, or health care operations." "Payment" is defined in section 164.504 and includes actions with respect to a health plan "to obtain premiums or to determine or fulfill …responsibility for coverage….", by a provider or plan to "obtain reimbursement", billing and other processing, and related coverage and utilization review activities. "Health care operations", also defined in section 164.504, means activities to carry out the management functions necessary for the support of treatment or payment, including quality assessment, performance reviews, insurance rating and similar reviews, medical review and auditing services, including fraud and abuse detection, and compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding.
If a disclosure is not exempt from the individual authorization requirement under section 164.506, it may nonetheless fall under the exemptions of section 164.510. Subsection (b) of that section, subject to detailed standards, allows disclosures for public health purposes to public health authorities and other entities needing and authorized to receive the information for public health purposes. Subsection (c) allows disclosures for health oversight activities authorized by law, including, audit, investigation, inspection, civil, criminal, or administrative proceeding or other action or other activity necessary for oversight of the health care system and government benefit and regulatory programs. Subsection (d) allows disclosure for judicial and administrative proceedings in response to an order of a court or administrative tribunal or where the individual is a party to the proceeding and his condition is at issue and disclosure is pursuant to lawful process or otherwise is authorized. Subsection (e) allows disclosure to coroners and medical examiners to identify a deceased and determine cause of death. Subsection (f) allows disclosure for law enforcement purposes if pursuant to certain specified legal processes. Subsection (g) allows disclosure for governmental health data systems that collect health data for analysis in support of policy, planning, regulatory, or management functions authorized by law. Subsection (h) allows disclosure of directory information, pursuant to agreement of the individual, or if the person is incapacitated, at the discretion of the provider "consistent with good medical practice and any prior expressions of preference of which the covered entity is aware". Subsection (i) allows disclosures of "the minimum amount of protected health information necessary to complete a banking or payment activity." Subsection (j) allows disclosure for research purposes provided that a waiver of the individual authorization has been approved by an appropriate institutional review board. Subsection (k) allows disclosure in emergency circumstances "consistent with applicable law and standards of ethical conduct and based on a reasonable belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. Subsection (l) allows disclosure to a person who is a next-of-kin, other family member, or close person friend if agreed to, or if agreement cannot practicably be obtained, only as relevant to that person's involvement in the patient's care, consistent "with good health professional practices and ethics." Subsection (m) allows disclosures under specified circumstances involving government entities, including for military purposes, intelligence purposes, and with respect to the foreign service.
Comment: If the Act is intended to be integrated with the Regulations, serious consideration should be given to coordinating the respective provisions that allow disclosures without individual authorization for treatment and public policy purposes. Conceptually, allowing disclosure under one law but not under the other will create confusion for those regulated and will raise preemption issues as to whether, for example, a state's failure to allow the disclosure is a "more stringent" provision that is not subject to preemption. The Regulation provisions are broadly drawn to allow activities within the health care environment to occur without individual authorization. All of those regulated entities are subject to substantial safeguard requirements under the Regulations that are largely lacking - at least in specificity - in the Act.
Section 3-101 Examination and Copying and 3-102 Denial
The Act requires a health care provider to comply in a timely manner with a request for examination and copying. Denial of a request is only allowed as provided in section 3-102. Section 3-102 allows denial if the provider reasonably concludes that: (1) knowledge would be injurious to the patient; (2) knowledge would compromise an individual who properly provided the information in confidence; (3) knowledge could reasonably be expected to endanger life or safety; (4) the information was compiled for litigation, quality assurance, peer review or administrative purposes; or (5) access is otherwise prohibited by law.
Access to information under the Regulations is governed by section 164.514. That section provides an individual with a right of access, including the right to inspect or copy, his information in the hands of his provider or health plan. However, subsection (b) provides an exception to that right of access if (1) the provider has determined "in the exercise of reasonable professional judgment, that knowledge is reasonably likely to endanger the life or physical safety of the individual or another person; (2) the information is about another person and the information is reasonably likely to cause substantial harm to that person; (3) the information was obtained under a promise of confidentiality and access would be likely to reveal the source of the information; (4) the information was obtained pursuant to a clinical trial under which the individual agreed to denial of access and the trial is in progress; or (5) the information was compiled in reasonable anticipation of, or for use in, a legal proceeding.
Both the Act and the Regulations provide that if some information is accessible and some may be denied, the accessible information must be made available "to the extent possible" consistent with the denial.
The Act requires compliance no later than ten days after the request, or if delayed by circumstances, not later than 21 days after the request. The Regulations require compliance not later than 30 days after the request. The Act allows the provider to charge a reasonable fee. The Regulations allow a reasonable "cost-based" fee for copying.
Where a request is denied, the Act provides remedies allowing examination by another provider, and specifying that in a hearing on the denial, access must be granted unless the provider establishes grounds for refusal. The Regulations provide for, and require notice of, a complaint procedure to the Secretary of Health and Human Services.
Comment: The respective drafts are conceptually quite similar. The committee may wish to consider whether additional changes in the Act are appropriate to avoid conflicts in such areas as response time.
Sections 4-101, 4-102 and 4-103 Correction and dissemination
Sections 4-101, 4-102, and 4-103 set out the Act provisions concerning correction. A patient has a right to correction, or to be informed why the correction is refused and to add a statement of disagreement. There are no provisions stating what grounds may be used to refuse. Under the Act, an entity has 10 days - but no more than 21 days - to respond.
The Regulations contain analogous provisions at section 164.516. The Regulations similarly provide a right to correction and state reasons for a refusal to correct including (1) the record was not created by the entity, (2) the record would not be available under the access rights, or (3) the information is accurate and complete. Under the Regulations, response must be within 60 days. The Regulations contain more elaborate provisions concerning notice to the patient of his rights and of a complaint procedure, and of the obligation to allow a statement of disagreement where a request for correction is refused. Under those provisions the covered entity may establish a limit to the length of the statement of disagreement and may summarize the statement if necessary.
Section 4-103 of the Act requires a provider, on request, to take reasonable steps to provide the correction or statement of disagreement to all persons designated by the patient and identified as having received the information subject to the correction or disagreement. Section 164.516(d) and (e) of the Regulations require a covered entity to have procedures to ensure correction of the appropriate record sets held by itself and its business partners.
Comment: The respective provisions are similar. However, the Regulations cover "covered entities" rather than just "providers" and are drafted to reflect that distinction.
Section 5-101 Notice of information practices
Section 5-101 of the Act requires providers to provide a copy of a notice of information practices to patients at the commencement of the relationship, or if a copy has yet to be provided, at the next treatment session.
Section 164.512 of the Regulations requires that a covered entity that is a health plan or a provider must have procedures that provide adequate notice to individuals of their rights and the procedures for exercising rights with respect to protected health information. A health plan must provide a copy of the notice as of the Regulation compliance date and at the time of enrollment and within 60 days of any material revision of the content of the notice, and no less than once every 3 years. A provider must provide a copy during the one year period following the compliance date, and thereafter, at the first service delivery provided, or if service is not face to face, in another appropriate manner, and the provider must post a copy of the notice.
Under subsection (b) of section 5-101, the Act requires that, except as more specifically provided by applicable regulations, the notice of information practices must contain a notice substantially in compliance with a boilerplate form that provides notice of the providers rights to disclose without individual authorization and of the patient rights with respect to the information, including the rights to access and correct records, to revoke authorizations and to know what safeguards have been established.
Section 164.512 of the Regulations states that the notices must include a plain language statement including the following:
(1) Uses and disclosures, and the entity's policies with respect to uses and disclosures "in sufficient detail to put the individual on notice of the uses and disclosures expected to be made of his or her protected health information, describing uses and disclosures that are required or permitted without individual authorization;
(2) that other disclosures will only be made pursuant to individual authorization, which may be revoked, and that an individual may request that certain uses and disclosures be restricted and that the entity is not required to agree to such a request;
(3) that an individual has the right to request, and a description of the procedures for exercising rights with respect to, inspection and copying, amendment or correction, and accounting of the disclosures made;
(4) that the entity is required by law to protect the privacy of the information, provide notice of its policies, and abide by those policies;
(5) that the entity may change its policies, with a description of how the patient will be notified of the change;
(6) that individuals may complain to the covered entity and the Secretary if they believe their privacy rights have been violated;
(7) a name and number of a contact person;
(8) the date the notice was produced.
Comment: The Regulation notice is more detailed and reflects some of the additional administrative requirements in the Regulations such as the requirement for a contact person. The Regulations retain a posting requirement that was deleted in the most recent Act proposal.
Section 6-101 and 6-102 Health care representatives
The Act addresses rights of a health care representative or personal representative to act on behalf of a patient.
The Regulations contain an analogous provision in the definition of "individual" set out in section 164.504, which contains language recognizing that "individual" includes other persons legally authorized to act on that individual's behalf.
Comment: The Act and the Regulations accomplish the recognition of representatives in different ways, both of which work.
Section 7-101 Security safeguards
Section 7-101 of the Act requires a health care provider to establish and maintain safeguards for the security of all health care information it maintains, including policies, standards and procedures for the management of health care information that are reasonably designed to prevent the prohibited collection, use, or disclosure of that information. Safeguards are required to comply with any applicable regulations adopted pursuant to the Act. The section also requires that any person to whom health care information is disclosed in the regular course of business establish similar safeguards. The safeguard policies, standards, and procedures must be disclose on request.
Subsection (c) of section 164.518 of the Regulations requires that covered entities "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." Those safeguards are to be implemented by "administrative, technical, and physical procedures" which must include "adequate procedures for verification of the identity and/or authority" of persons requesting information, where such identity or authority is not known to the entity. The Regulations set out several paragraphs containing standards for "reasonable evidence of identity" and "reasonable evidence of authority". An entity must also have safeguards to ensure that information is not used in violation of the Regulations by members of its workforce or other associated persons. The safeguard provisions include a "whistle blower" provision, a requirement for a complaint process, standards for sanctions, and a standard for mitigation.
Section 164.520 of the Regulations requires that covered entities adequately document compliance with the Regulations. A covered entity must document its policies and procedures regarding;
(1) uses and disclosures;
(2) implementation of the "minimum necessary requirement of section 164.506(b)";
(3) implementation of the right to request a restriction;
(4) for creation of de-identified information under section 164.506(d);
(5) how notices will be disseminated;
(6) granting of access to record sets;
(7) grounds for denying access
(8) copying fees;
(9) procedures for accounting for disclosures;
(10) procedures for accepting or denying requests for correction or amendment;
(11) how other entities will be notified of corrections or amendments;
(12) identification of responsible persons, including contact persons;
(13) documentation of procedures for complying with the administrative requirements of section 164.518, including identification of responsible officials and contact persons, required training, how access is regulated, the procedure for receiving complaints, sanctions, and procedures for mitigation.
Comment: The Regulation's detailed administrative safeguard requirements, including training and documentation, differ substantially from the more skeletal obligations under the Act, although section 7-101 does invite additional safeguard regulation under section 1-104. The safeguard requirements are one of the more burdensome and potentially costly aspects of this privacy regulation and the Committee rejected more specific provisions in the earlier draft.
Section 7-102 Record retention
Section 7-102 of the Act requires providers (1) to maintain health care information records for a year after receipt of an authorization to disclose or request for correction, (2) to maintain authorizations for disclosure in conjunction with those records, and (3) to maintain a record of certain disclosures. The record of disclosures is to include the name, address, and institutional affiliation, if any, of each person receiving or examining the information, the date thereof, and, to the extent practicable, a description of the information disclosed and the basis of the disclosure.
Section 164.515 sets out the analogous Regulation requirements. An individual has the right to receive an accounting of all disclosures of protected health information made by a covered entity as long as the information is maintained by the entity, except disclosures for treatment, payment, and health care operations and, if certified by the agency that accounting of the disclosure would impede its activities, accounting of disclosure to health oversight or law enforcement agencies. The accounting must provide the date of each disclosure, the name and address of the organization or person who received the information, a brief description of the information, for disclosures not made at the request of the individual the purpose for which the information was disclosed, and copies of all requests for disclosure. The accounting must be provided within 30 days. Entities must also provide a means of requiring their business partners to provide such an accounting.
Comment: These respective provisions are conceptually similar but should be further reviewed for integration issues.
Section 8-101 Civil enforcement
Section 8-101 provides that an appropriate official may maintain an action to enforce the Act.
Section 164.522 provides a process for complaint to the Secretary of Health and Human Services, investigation by the Secretary, and action by the Secretary to enforce compliance.
Comment: These provisions contain similar authorizations for administrative enforcement actions.
Section 8-102 Civil remedies
Section 8-102 provides that an aggrieved person may maintain an action for relief and may recover actual damages sustained as a result of a violation, and, in an appropriate case, reasonable attorney's fees and expenses incurred. There is a two year statute of limitations.
The Regulations do not provide a private right of action.
Comment: The lack of a private right of action is a significant weakness in the Regulation based provisions. However, in areas covered by the Regulations, a private right of action under a state statute may be preempted.
Section 8-103 Alternative criminal provision
Section 8-103 provides, as an alternative, a criminal misdemeanor sanction for various willful and egregious violations of the Act.
The Regulations allow the Secretary to initiate a criminal referral under section 1177 of the Social Security Act.
Other Regulation provisions
The following provisions in the Regulations do not have true counterparts in the Act. Parallels, if they occur, are noted.
Minimum disclosure
Section 164.506(b) requires, as a general rule, that a "covered entity must make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the purpose of the use or disclosure." That rule, however, does not apply to various required disclosures such as those requested by an individual or necessary for compliance purposes. The Regulation requires that a covered entity have procedures to identify the appropriate person to determine what information should be used, ensure that the person who is responsible for making the minimum necessary determination makes it, and provide for the making of that decision individually subject to the entity's technological limits. An entity may rely on representations of public officials in making that determination.
Comment: Consideration might be given to including an explicit "minimum disclosure" rule in the Act.
Right to restrict uses and disclosures
Section 164.506(c)(1) provides that a health care provider "must permit individuals to request that uses or disclosures of protected health information for treatment, payment, or health care operations be restricted, and, if the requested restrictions are agreed to by the provider, not make uses or disclosures inconsistent with the restrictions. A provider is not required to agree to the request and the request does not apply to emergencies or to disclosures that are permitted without individual authorization under section 164.510. However, the provider must have procedures that provide individuals an opportunity to request a restriction and to honor restrictions that are agreed to.
Comment: Consideration might be given to including an explicit "right to restrict" in the Act.
De-identification
Neither the Regulations, nor the Act, govern information that cannot be linked to an individual. However, section 164.506(d) of the Regulations contains more particular rules concerning what constitutes "de-identified" information.
Comment: Consideration might be given to including more specific rules concerning "de-identification".
Business partners
The Regulations define "business partners" and set criteria for ensuring that disclosures to those partners are protected. Thus section 160.506(e) provides generally that a covered entity may not disclose to a business partner unless it has "satisfactory assurance from the business partner that it will appropriately safeguard the information" and "takes reasonable steps to ensure that each business partner complies with the requirements … with respect to any task or activity it performs on behalf of the entity, to the extent the covered entity would be required to comply with such requirements." "Satisfactory assurance" is defined as a contract between the covered entity and the business partner that, among other requirements, establishes permitted and required uses, provides that the business partner will not further disclose the information except as permitted or required, will not otherwise inappropriately use or disclose the information, will use appropriate safeguards, will report to the entity any inappropriate use, will ensure that its subcontractors and agents agree to the same restrictions, will make information available as required, will make its internal practices, books, and records available to the Secretary, will return or destroy information at the termination of the contract, and will incorporate corrections.
Comment: The latest draft of the Act uses a similar concept, placing safeguard obligations on entities that receive information in the regular course of business.
Deceased individuals
Section 160.506(f) requires a covered entity to comply with the requirements for two years following the death of the individual.
When individual authorization is required
Section 164.508 sets out a number of circumstances where individual authorization is expressly required. An entity is expressly required to obtain authorization (1) for use for marketing, (2) for disclosure by sale, rental, or barter, for use by non-health related divisions such as a life or casualty insurance or for banking purposes, for enrollment in a health plan for making eligibility determinations or underwriting or risk ratings, for employment purposes, and for fundraising purposes. An entity is prohibited from conditioning treatment or payment on receiving an authorization, except with respect to a clinical trial and is prohibited from otherwise requiring an individual to sign an authorization except where required by law.
In contrast, the Act relies on the general prohibition against disclosure unless expressly authorized individually, or by the Act or other law. Section 2-102(c) of the Act does require that an authorization for sale or marketing be executed separately and contain a conspicuous statement of its purpose.
The Regulation, under section 164.508(a)(3), also contains explicit provisions governing disclosure of psychotherapy notes and disclosure of research information unrelated to treatment.
Comment: Again, consideration might be given to adopting more parallel provisions.
Model form
The Regulations set out a model authorization form which, if used, "must be accepted by the covered entity".
Comment: Consideration could be given to adopting such a "safe harbor" model form of authorization.
Defective authorizations
The Regulations set out specific criteria concerning defective authorizations.
Compound authorizations
The Regulations require that authorizations for purposes other than treatment or payment not be on the same document as an authorization for treatment or payment.