Comments on Proposed Standards to Protect Health Care Information
Comments of the American Nurses Association on Proposed Standards to Protect the Privacy of Individually Identifiable Health Information As Published in the Federal Register by the Department of Health and Human Services
February 17, 2000
APPLICABILITY
Section 164.502 Applicability.
Recommendation:
The privacy standards should apply to all individually identifiable health information in any form maintained or transmitted by a covered entity.
Rationale:
Under Section 164.502, the draft regulations only apply to "protected health information" which is defined in Section 164.504 as individually identifiable health information which at some point has been transmitted or maintained electronically by a covered entity. The effect of this approach is to leave a large portion of health information, including that maintained in paper form, unprotected. The vast majority of health information is currently maintained in paper form. This information should be protected.
In their current form, the regulations distinguish between health information that at some point has been electronically maintained or transmitted and that which has not. This distinction is nonsensical, unworkable and unenforceable. At some point, some, but not all, of the information in the record may be transmitted electronically. Under the current proposal, the paper record would then contain both protected information (i.e., information that has been electronically transmitted), and unprotected information (information which has not been so transmitted). It would be burdensome and difficult to identify and designate which information in any particular record is protected.
It would be easier for a covered entity to treat all information it maintains or transmits in the same fashion. Additionally, for enforcement purposes, it may prove difficult, if not impossible, to establish that specific health information at some point in its existence has been transmitted or maintained electronically and, therefore, is subject to the regulations. The best way to reduce these implementation and enforcement ambiguities is to make the privacy standards applicable to all individually identifiable health information transmitted or maintained by a covered entity regardless of its form.
In addition, the administrative simplification provisions of HIPAA appear to encourage the development of a uniform computer-based health information system. This goal is impeded by allowing paper records to remain beyond the scope of the regulations. There is little incentive for covered entities to convert to computer-based health information systems if they may avoid regulation by maintaining paper-based systems.
The Secretary should make the privacy standards applicable to all individually identifiable health information, regardless of its form. Adopting this approach would afford a higher degree of protection for this sensitive information, make the privacy standards easier to implement and enforce, and further HIPAA's goal of encouraging a computer-based health information system.
DEFINITIONS
Sections 160.103, 164.504 Definitions.
Section 164.508 Uses and disclosures for which individual authorization is required.
1. Covered Entity
Recommendation:
The regulations should expressly provide that with respect to persons or organizations that provide health care or have created health plans but are primarily engaged in other unrelated activities, the term "covered entity" encompasses only the health care component of that entity.
Rationale:
This refinement is necessary to ensure the creation of fire walls designed to kept protected health information potentially available to employers through employee health benefit plans and or health care staff out of the hands of personnel responsible for hiring, job placement, promotion, and firing decisions.
2. Health Care
The Secretary should add the term "assessment" to the list of services considered health care. Assessment is a term-of-art for a determination of baseline health status. When an assessment is conducted as the initial step in the diagnosis and treatment of a patient, the existing definition of health care in the regulation arguably reaches the assessment. However, in the occupational health environment, for instance, assessments are commonly conducted without follow-up diagnosis or treatment to determine an employee's fitness to work. If assessments are not expressly included in the definition of health care, some registered nurses will not meet the definition of a "health care provider" and will, as a result, be beyond the reach of the regulation regardless of their use of electronic record-keeping technologies.
3. Health Plan
To eliminate any ambiguity, the Secretary should clarify that the catch-all-category under the definition of health plan includes "24-hour coverage plans" (whether insured or self-insured) that integrate traditional employee health benefits coverage and workers' compensation coverage for the treatment of on-the-job injuries and illnesses under one program. This clarification is essential because workers' compensation plans per se are not covered entities under the regulation.
4. Protected Health Information
Recommendation:
Protected health information should be defined as individually identifiable health information in any form -- paper or electronic -- that has been maintained or transmitted by a covered entity.
Rationale:
We recommend that the Secretary utilize her full authority and promulgate privacy standards that apply to all individually identifiable health information transmitted or maintained by a covered entity, including information in a non-electronic form. (See our comments on "Applicability.") The definition of protected health information should be revised to reflect this scope of applicability.
A. Section 164.504 (definition of "individual") and minors
We applaud much of the Department's approach in section 164.504. This section largely preserves the status quo, acknowledges the important role that parents play in the lives of their children, and protects the health and well-being of minors, including many of those who lawfully obtain care on their own.
The proposed rule includes the following in the definition of "individual":
(ii) With respect to unemancipated minors, a parent, guardian, or person acting in loco parentis, provided that when a minor lawfully obtains a health care service without the consent of or notification to a parent, guardian, or other person acting in loco parentis, the minor shall have the exclusive right to exercise the rights of an individual under this subpart with respect to the protected health information relating to such care. (page 60053)
This language, in large part, appropriately and wisely perpetuates the status quo. Under current law and practice, parents generally consent to care on behalf of their children and have access to their medical records (at least when anyone has access to those records). It is appropriate in such cases for parents to exercise the rights created by this rule. But in situations in which the minor lawfully obtains health care without the involvement of a parent, information about those health care services now remains confidential and is not shared with the parent without the minor's consent. It is appropriate in such cases for the minor to be the one to exercise the rights under this rule. The proposed rule thus keeps intact much of the delicate balance between parents and minors that exists in the real world today.
There are many sources of law under which minors lawfully obtain health care services on their own. The U.S. Constitution, federal statutes and regulations, state constitutions, and hundreds of different state laws protect the privacy of minors by guaranteeing their right to consent to treatment on their own without parental notice or consent. For example, many states have case law that explicitly guarantees "mature minors" the right to consent to medical care generally. The overwhelming majority of states have statutes that allow minors to consent to specific sensitive services such as prenatal care, family planning services, testing and treatment for sexually transmitted diseases, mental health services, and treatment for alcohol and/or drug abuse(1) Federal Medicaid law and Title X of the federal Public Health Service Act guarantee that eligible minors receive confidential family planning services. Moreover, the U.S. Constitution puts important limits on the ability of the federal government and the States to restrict a minor's access to abortion services. While more than half of the states enforce laws requiring parental, judicial, or other adult involvement in a minor's abortion decision, those laws must satisfy strict constitutional parameters. Underlying much of this extensive body of law is the recognition that confidentiality is often the key to a minor's willingness to access critically important health care services.
This proposed rule makes the correct and logical link between access to health care services and the right to control access to, and disclosure of, protected health information relating to such care. To do otherwise would undermine the minor's right to obtain the care on his or her own in the first place. Minors will not seek the sensitive health care services they need if they fear subsequent disclosure of that information to their parents over their objection. For health care services to be truly confidential, information relating to such care must remain confidential.
This proposed rule comes close to striking the appropriate balance. It respects the important role that parents generally play in obtaining health care for their children, while at the same time recognizing the need to let minors continue to control their own protected health information in those particular and narrow circumstances in which they lawfully obtain care on their own.
Suggested Modifications and Clarifications
We urge the Department to modify one aspect of the definition of individual to better protect the rights of minors. Specifically, we urge the Department to modify the definition of individual so that minors exercise the rights of an individual when applicable law requires parental notification, as opposed to parental consent (the proposed rule would vest parents with these
rights in these circumstances). In addition, we urge the Department to clarify the proposed rule in two ways: (1) clarify that when applicable law does not require the consent of a parent, guardian, or person acting in loco parentis, a minor who chooses voluntarily to notify or involve a parent retains his or her right to exercise exclusively the rights of an individual; and (2) clarify that the proposed rule does not operate to breach patient confidences when a minor and his or her health provider enter into an agreement of confidentiality to which a parent assents.
Rationale for Suggested Modifications and Clarifications
We do not believe that minors should forfeit the ability to exercise exclusively the rights of the individual where applicable law requires parental notification, but not consent, before the minor can obtain a health care service. Such a minor has the legal right to consent to the care, and we believe that such a minor also should have the right to control the health information related to such care. Although a parent notified pursuant to applicable law has knowledge that the minor is obtaining a particular health care service, the minor should retain the right to confidentiality in discussing with the health provider issues such as the facts that gave rise to the need for the service, his or her family's reaction to the medical problem for which he or she seeks treatment, and his or her own feelings about that problem. Minors will be deterred from sharing such vital confidences with health providers if the parent may later gain access to the medical records documenting the confidences.(2) Accordingly, we urge the Department to delete "or notification to" as shown below in the section on proposed language.
For similar reasons, we urge the Department to clarify that minors who voluntarily choose to involve a parent do not surrender their rights under the proposed rule. Minors who can lawfully obtain care on their own often choose to involve a parent because of their close relationship with that parent. The proposed rule should not operate as a disincentive to such voluntary parental involvement or to the sharing of confidences with the health provider by imposing as a consequence of such involvement the minor's loss of the right to control access to the personal health information related to that service. We do not believe the Department intended this result, and we do not believe the language of the proposed would necessarily result in the loss of such control, but we suggest language below to clarify this point.
We also are concerned about preserving patient confidences in situations where a health provider such as a pediatrician or pediatric nurse practitioner and a minor patient enter into an agreement of confidentiality and the parent assents to this arrangement. Take, for example, a minor who visits a pediatrician with a parent for the purpose of a routine annual examination. Under protocols developed by the American Academy of Pediatrics, the pediatrician should raise with adolescent patients during their annual exams questions about risk-taking behavior such as drug or alcohol use and sexual activity. Typically, the parent provides the consent for the annual examination, but the pediatrician (again, under protocols developed by the American Academy of Pediatrics) explains to both the parent and the minor that the examination should be private and that the pediatrician will keep the minor patient's confidences. When and to the extent that the parent assents to this arrangement, a private and confidential examination follows.
We cannot imagine that the Department intends that the rule upset these important, established protocols in the health care of adolescents. Perhaps the Department views the annual examination not as one health service, but as a bundle of services, some to which the parent consents and others which the minor lawfully obtains on his or her own. It would be cumbersome, however, for health providers to have to maintain segregated records, with some information under the minor's control and some under the parent's control. We recommend, therefore, that the proposed rule be amended, as shown below, to recognize explicitly that confidentiality agreements between providers and minor patients should be respected when a parent assents to the agreement. In that circumstance, the minor should exercise exclusively the rights of the individual under the rule with respect to the health information covered by the agreement.
In addition, we suggest the Department add a provision giving minors, in certain circumstances, the ability to exercise the rights under the rule concurrently with their parents. This would apply only in instances where the minor does not exercise these rights exclusively under the revised language we propose below. Certainly by age 16, if not before, minors are capable of exercising these rights. In addition, the Department should allow a parent, guardian, or other person acting in loco parentis to authorize his or her minor child to exercise these rights concurrently in whatever circumstances and at whatever age the parent, guardian, or other person acting in loco parentis deems appropriate. Allowing minors 16 and over, or whenever a parent so authorizes, to exercise these rights concurrently would not undermine the rights of parents or interfere with their ability to remain involved in health care treatment decisions. Rather, this approach would respect the minor's growing maturity and transition to adulthood.
Proposed language:
1. Amend section 164.504(ii) as follows:
(ii) With respect to unemancipated minors, a parent, guardian, or person acting in loco parentis, provided that (A) when a minor
lawfully obtains a health care service without the consent of or notification to a parent, guardian, or other person acting in loco parentis, or when a parent assents to an agreement of confidentiality between a health care provider and a minor, the minor shall have the exclusive right to exercise the rights of an individual under this subpart with respect to the protected health information relating to such care; and (B) when a minor attains the age of 16, or whenever the parent, guardian, or other person acting in loco parentis so authorizes, the minor shall have the right to exercise the rights of an individual under this subpart concurrently with his or her parent, guardian, or other person acting in loco parentis except in those situations where the minor has the exclusive right to exercise the rights of the individual in accordance with subpart (A). When applicable law does not require the consent of a parent, guardian, or person acting in loco parentis prior to a minor's obtaining a health care service, a minor who chooses voluntarily to involve a parent, guardian, or other person acting in loco parentis shall retain the exclusive right to exercise the rights of an individual under this subpart with respect to the protected health information relating to such care.(3)
B. Specific applications of the term "individual"
It is our understanding that the definition of "individual," including its treatment of minors, applies throughout the rule wherever the term "individual" is used. We are concerned, however, that one isolated reference in the preamble (page 59973) to the applicability of the definition of "individual" in one specific context may raise the inference that this definition may not apply in other contexts. As a result, we recommend that this one statement in the preamble be deleted and that the preamble include the explanatory language below.
Proposed language:
1. Delete from the preamble discussion of the next-of-kin section (page 59973) the following statement: "The proposed definition of 'individual' addresses related disclosures regarding minors and incapacitated individuals."
2. Amend the preamble at page 59935 as follows:
c. Disclosures pertaining to minors. In general, because the definition of individual would include parents, a parent, guardian, or person acting in loco parentis could exercise the rights established under this regulation on behalf of their minor (as established by applicable law) children. However, in cases where a minor lawfully obtains a health care service without the consent of or notification to a parent, the minor would be treated as the individual for purposes of exercising any rights established under this regulation with respect to protected health information relating to such health services. For example, a minor who lawfully obtains a health care service without parental consent would have the rights of the "individual," guaranteed under sections 164.510(h) and 164.510(l), to agree or object to the release of directory information or disclosures to next-of-kin pertaining to care received without parental consent. . . .
C. Minors who become emancipated or attain majority
We suggest the Department clarify the proposed rule's application to situations in which an adult or emancipated minor is seeking access to (or is being asked to authorize disclosure of) protected health information concerning health care services rendered while the person was an unemancipated minor. The appropriate policy is as follows: once a minor becomes emancipated or attains majority, as determined by applicable State law, the minor should exercise the rights of an individual with respect to protected health information relating to services rendered while the person was an unemancipated minor.
Proposed language: We do not believe it is necessary to change the language of the rule itself because under the existing definition of "individual," nothing appears to limit the ability of adults to obtain access to protected health information relating to services rendered while the individual was a minor. It would be helpful, however, for the Department to state this interpretation of the rule in the preamble.
5. Treatment (Disease Management)
The definition of treatment appropriately includes disease management programs which involve "the coordination of health care . . . among health care providers." We are concerned, however, that some employers may rely upon the inclusion of this concept within the definition of treatment to demand what should be protected health information from their health plan component or occupational health component to "force" individual employees with targeted conditions into self-care or medication compliance programs in ways that violate both the employee's privacy interest and his or her right to autonomously control his or her own medical care. To guard against such abuses of the unauthorized disclosures permitted for purposes of treatment under the regulation the Secretary should clarify and appropriately restrict the meaning of the disease management terminology used in the definition of treatment.
TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
Section 164.506 Uses and disclosures of protected health information: general rules.
1. Initial Authorizations For Treatment, Payment And Health Care Operations Purposes
Recommendation:
The regulations should require authorization from the individual for the use and disclosure of information for treatment, payment and health care operations, which should be renewed at least once every three years or whenever the patient changes insurance companies, whichever occurs first.
Rationale:
We disagree with the Secretary's basic premise that requiring patient authorization for treatment, payment and health care operations is a meaningless enterprise. This issue was addressed at length by the Health Privacy Working Group, a panel comprised of diverse stakeholders including: disability and mental health advocates; health plans; providers; employers; standards and accreditation representatives; and experts in public health, medical ethics, information systems and health policy: Best Principles for Health Privacy, a Report of the Health Privacy Working Group (July 1999). This diverse group noted that as a general rule, requiring patient authorization prior to disclosure can:
- bolster patient trust in providers and health care organizations by acknowledging the patient's role in health care decisions;
- serve as recognition that notice was given and the patient was aware of the risks and benefits of disclosure; and
- define an "initial moment" in which patients can raise questions about privacy concerns and learn more about options available to them.
We find the Secretary's current position regarding authorization for treatment, payment, and health care operations to be particularly objectionable because it runs counter to other efforts to make our health care system function properly. In a world of managed care, the Administration and many health and consumer interests have been dedicated to shifting popular culture to embrace the concept of the "empowered patient." Many observers believe that the best way to make managed care work is for patients to become self-advocates and active in working the
system so they get the care they need. Dismantling the current authorization system runs counter to this approach. The Administration's approach disempowers patients by taking away their ability to actively control access to their own protected health information.
Patients should be encouraged to be active participants in their own health care -- and the authorization process should be an integral piece of that picture. The authorization should be renewed at least once every three years, or when the patient changes insurance companies, whichever occurs first. Since entities are already required to provide notice to patients every three years, there would little additional administrative burden. For covered entities that are health plans, authorization can be obtained through the employer or through the insurance company.
Under this model, it may be necessary to allow covered entities to refuse enrollment or services if the patient refuses to sign the authorization. This would be acceptable if the other changes suggested in our comments were included -- such as a genuine right to restrict disclosures and heightened protections for sensitive information.
Again, we urge the Secretary to add an authorization requirement for treatment, payment and health care operations.
2. Treatment, Payment, and Health Care Operations, Section 164.506(a)
Recommendation:
HHS has attempted to make provision for the business needs of covered entities which require them to disclose protected health information in their operations. Section 164.506(a)(1)(i) provides that a covered entity may use and disclose protected health information, "[e]xcept for research information unrelated to treatment, to carry out treatment, payment, or health care operations." Health care operations is defined at 164.504 to include "[c]onducting quality assessment and improvement activities" and "[r]eviewing the competence or qualifications of health care professionals." However, the commentary to the definition of "health care operations" states that "a health care operation should not result in protected health information being disclosed to an entity that is not the covered entity (or a business partner of such entity) on whose behalf the operation is being performed." It should be made clear that in some circumstances, an employee representative is a business partner involved in health care operations to which protected health information may be disclosed.
Rationale:
The access of most employee representatives to protected health information will be covered by Section 164.510(n), Uses and disclosures otherwise required by law. However, in some state and local jurisdictions, a collective bargaining law does not regulate the relationship of employer to employees. In some of those jurisdictions, employers, including covered entities, have voluntarily entered into relationships with a representative chosen by their employees. Those relationships in some instances will resemble the relationship of employer to employee representative mandated by such laws as the National Labor Relations Act or state collective bargaining laws, although the employers are not covered by those laws. Thus, the employee representative will be given access to information maintained by the employer when it is necessary to the fulfillment of the representative responsibilities to the workforce.
In addition, in some instances, even where the employer/employee representative relationship is governed by federal or state law, the employer and its workforce representative have chosen to go further than the obligations to each other that are mandated by those laws and have entered into partnerships to improve the quality of care and services provided. In such partnerships the union becomes a partner in quality assessment and improvement activities, which are defined by the subpart as a component of health care operations.
Under such circumstances the employee representative functions as a "business partner" of the covered entity and should be entitled to access to protected health information as are other business partners. Although the definition of business partner is broad, there is no recognition of the possibility of employee representatives serving in such roles. Where protected health information is necessary to the employee representative so that the representative can assist with the performance of activities such as quality assessment and improvement activities and activities to review the competence or qualifications of health care professionals, it should be clearly permitted.
3. Prohibition on Seeking Authorization for Uses and Disclosures for Treatment, Payment and Health Care Operations
Recommendation:
We prefer that the regulations include an authorization requirement for treatment, payment and health care operations. If the regulations do not include this requirement, we suggest that the final regulations, at a minimum, allow entities to have the option to require patient authorization for treatment, payment and health care operations.
Rationale:
Under proposed section 164.508(a)(2)(iv) a covered entity is prohibited from requiring an individual to sign an authorization for use or disclosure of protected health information for treatment, payment, or health care operations purposes. The explanation of this provision also indicates a broader intent to prohibit covered entities from "seeking individual authorization" for these listed purposes. 64 Fed. Reg. 59941 (Nov. 3, 1999). Given this expansive language, section 164.508 may be construed in an unduly broad fashion. We are concerned that:
A general prohibition on health care providers from "seeking individual authorization" may deter health care providers from initiating discussions with patients concerning their rights under section 164.506(c) to request restrictions on the uses or disclosures of protected health information for treatment, payment or health care purposes; and
Health care organizations have a legitimate interest in collecting patient authorizations and should be permitted to require patient authorization for treatment, payment and health care operations.
Today, health care providers routinely require patient authorizations prior to disclosing protected health information for many purposes. For example, patient authorizations are used as a mechanism for determining what health information to release for purposes of second opinions, consultations, and referrals. Under current procedure, a patient, usually in consultation with a health care provider, will complete a form authorizing the disclosure of his or her health information to another health care provider for second opinions, referrals and consultations. In the form, the patient usually designates both the type and scope of the information to be disclosed and to whom the information is to be disclosed. These authorizations provide meaningful guidance to the initial provider in determining what records to release. The provider may also retain a copy of the authorization in case of a legal dispute.
Furthermore, such authorizations provide the patient with some degree of control over what information is disclosed and to whom it is released. Ultimately, it may help the patient to determine who is in possession of his or her medical records.
We suggest that the explanation of section 164.508 be revised to clarify that a covered entity may require an individual authorization to restrict the use or disclosure of health information for the purposes of treatment, payment and health care operations.
4. Scope of "Treatment and Payment"
Recommendation:
The terms "treatment" and "payment" should be narrowly construed as encompassing only the treatment and payment related to the individual who is the subject of the information.
Rationale:
Draft section 164.506 would allow covered entities to use and disclose protected information without an individual's authorization for the purposes of treatment and payment. The Secretary intends that this provision be interpreted "to apply for treatment and payment of all individuals."
One of the Secretary's justifications for this broad interpretation is that treatment and payment are core functions of the health care system and that "[t]his is what individuals expect their health information will be used for when they seek medical care."
To the contrary, individuals seeking medical care expect that their health information will be used for their own treatment and payment. Many people would be mortified to learn that their health information was being reviewed for the treatment of others -- particularly people they know. We find particularly disturbing the Secretary's examples of permissible uses without the individual's consent, such as the review of the records of family members or house mates. When a physician is examining the information of a small group of individuals known to the patient, such as family members or house mates, the risk of inadvertent disclosure of identifiable data to the patient is not insignificant. When dealing with such a small group, patients easily would be able to surmise the identity of those whose information has been reviewed, as well as their health status. Individuals should have the ability to decide whether they want to accept the risk of disclosure by allowing their medical information to be used for the treatment of someone they know.
We recognize there may be legitimate circumstances where a provider may want to review the health information of the patient of another provider. We believe these circumstances would be limited, however, and that it would not pose a substantial burden on providers to request authorization for these purposes. We encourage the Secretary to construe "treatment" and "payment" in a narrow manner as applying to the treatment and payment of the individual who is the subject of the health information. Uses and disclosures for the treatment and payment of others should be permitted only with the authorization of the individual.
This suggested approach of construing "treatment" and "payment" in a limited fashion is endorsed by many states that generally prohibit disclosures without the patient's authorization but make an exception for disclosures to providers who are treating the patient who is the subject of the protected health information. See e.g., Ariz. Rev. Stat. sec. 12-2294 (allowing the disclosure of a patient's medical records without a signed authorization to attending and consulting health care providers who are currently providing health care to the patient for the purpose of diagnosis or treatment of the patient) (emphasis added); Md. Code Ann. Health-Gen. sec. 4-303 ( allowing disclosures to another health care provider for the sole purpose of treating the patient or recipient on whom the medical record is kept); Fla. Stat. Ann. sec. 455.667 (prohibiting the disclosure of medical records to anyone other than the patient, his representative, or other health care practitioners and providers involved in the care or treatment of the patient except upon written authorization of the patient) (emphasis added); Cal. Health & Safety Code sec. 56.10(c)(1) (permitting medical information to be disclosed to other providers of health care "for purposes of diagnosis or treatment of the patient") (emphasis added). We note that even the examples cited by the Secretary in her explanation permit disclosures only to providers "treating the individual" or to "a person who is providing health-care to the patient." 64 Fed. Reg. 59941 (Nov. 3, 1999).
We urge the Secretary to adopt this approach and to construe "treatment" and "payment" as applying to the treatment and payment of the individual who is the subject of the health information.
5. Verification of Identity of Requesters of Information
While we prefer that issues of verification be addressed through an authorization process that involves the patient, we endorse section 164.518(c)'s general requirements that covered entities have procedures for verifying the identity of the requester of protected health information. We believe that section 164.506 should incorporate this requirement.
Recommendation:
Section 164.506 should have a provision expressly requiring covered entities to comply with the applicable verification requirements under section 164.518(c).
Rationale:
Under proposed section 164.506, it appears that providers are permitted to disclose protected health information to other providers for consultation or referral without verifying the identity of the provider who has requested protected information. Because providers who disclose to other providers for consultation or referral purposes are not subject to the business partner rules in section 164.506(e) and covered entities are prohibited from obtaining individual authorizations under section 164.506 (see p. 59941), providers are given blanket authority to disclose protected health information for treatment, payment and health care operations about a patient without knowing whether the person who has requested the information is actually (1) a provider and (2) treating that particular patient or has another valid reason for requesting the patient's records. We recommend that the verification procedures set forth in section 164.518(c) apply to uses and disclosures for treatment, payment and health care operations.
Section 164.518(c) generally requires covered entities to have adequate procedures for verifying that the individual or person making the request for protected health information has the appropriate identity for the use or disclosure requested, except in specified circumstances. The Secretary's explanation of the regulation indicates that for most categories of permitted disclosures, when the request for disclosure of protected health information is from a person with whom the covered entity does not routinely do business, the covered entity would be required to verify the identity of the requestor. It is clear from the language of section 164.518(c) and the Secretary's explanation of this provision that the verification procedure was intended to apply to section 164.510 requests (made pursuant to the "public policy" uses and disclosures permitted without individual authorization). Furthermore, section 164.510(a)(1) itself expressly incorporates this verification requirement and requires covered entities to comply with any applicable verification requirements under section 164.518(c) as a condition of using or disclosing protected health information without the individual's authorization.
In contrast, it is unclear whether these verification procedures apply to section 164.506 requests (made pursuant to the provisions allowing use and disclosure for treatment, payment and health care operations without individual authorization), even where the request for information originates from an unfamiliar source outside the covered entity. The language of section 164.518(c) is general and somewhat ambiguous. The Secretary's explanation of section 164.518(c), while general enough to encompass section 164.506 uses and disclosures, does not directly address uses and disclosures for treatment, payment and health care operations. Furthermore, unlike section 164.510, section 164.506 does not expressly incorporate the verification requirements under section 164.518. Consequently, it is at least arguable that the regulations do not impose the 164.518 verification requirements on 164.506 disclosures even when the request originates from an unfamiliar source outside the covered entity.
Although the rules in section 164.506(e) would afford some protection for disclosures to business partners by requiring contracts that ensure that the business partner will safeguard information that it receives, these rules expressly exclude disclosures from provider to provider for consultation or referral purposes. In sum, there appear to be no verification rules or other checks on provider-to-provider disclosures under section 164.506.
Presumably, the Secretary considers provider-to-provider uses and disclosures for consultation or referral to pose less of a risk of unwarranted disclosure than other uses and disclosures. We believe, however, that provider-to-provider disclosures for consultation and referral can pose a significant risk of unwarranted disclosure. Consider this scenario: a woman seeks specialized treatment for reproductive health services, or mental health services. If another provider requests information, the provider who rendered the services would not have to consult the patient before the disclosure or even verify who has requested the information. Of particular concern is that this loophole would be used by people who are not providers to obtain information under false pretenses on patients.
While many providers may argue that the requirements of 164.518(c) create additional administrative burdens, we believe that these verification procedures are reasonable, and the only situation in which providers would have additional administrative burdens is when the identity of the provider requesting the information is unknown--where the risk of inappropriate disclosure is the greatest. Those providers that have ongoing relationships would obviously know the requestor and not be required to conduct additional verification.
We recommend the following addition to 164.506(a):
(a) Standard. A covered entity may not use or disclose an individual's protected health information, except as otherwise permitted or required by this part or as required to comply with applicable requirements of this subchapter. In using or disclosing protected health information under this section a covered entity must comply with applicable verification requirements under section 164.518(c).
6. Exception For Psychotherapy Notes
We commend the Secretary for accepting in principle the need to limit access to psychotherapy notes, absent specific consent from the individual. However, without additional protections this provision at best provides only very limited privacy protection.
Recommendation:
The rule should make clear that it is the information that is being protected, not just the specific "notes" themselves.
Rationale:
The protection for notes will not be meaningful if the same information can be demanded in a
different format. We are also concerned by the likely expansive interpretation of the notes' definition which might allow plans and others to require the release of verbatim notes. For this reason we believe that the explanatory text should specify that demands for verbatim notes are not permitted and that the amount of information that is excluded from the patient consent requirement narrowed dramatically.
7. Exception for Psychotherapy Notes
Section 164.510 Disclosures
Recommendation:
The limitations on disclosure of psychotherapy notes should extend throughout the regulation. In particular, there should be a prohibition on disclosure of psychotherapy notes for the activities addressed in section 164.510.
Rationale:
The proposed regulation only affords heightened protections for purposes of treatment, payment, and health care operations. In all other circumstances, the notes may be used or disclosed in the same manner as all protected health information. Under the proposed regulation, for example, the notes may be used or disclosed for public health reporting, to next of kin, for directory information, and to law enforcement.
There is no good rationale for psychotherapy notes to be shared, unless the individual has authorized the use or disclosure. Psychotherapy notes include extremely sensitive information, and if individuals are aware that such information can be shared so widely, it will likely destroy the therapeutic relationship.
8. Exception for Psychotherapy Notes
Interaction with Common Law
We also call to your attention the need for a provision which requires section 164.510 disclosures be consistent with the psychotherapist-patient privilege first established by Jaffe v. Redmond. Nor should the regulations modify "duty to warn" case law or statutes which, under certain circumstances, require the disclosure of medical information when a specific threat has been made to a person's safety.
MINIMUM NECESSARY
Section 164.506(b)(1) Standard: Minimum Necessary.
Summary
We support the general rule in the proposed regulation that organizations "must make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure." We are particularly pleased that the minimization requirement extends to treatment, payment, and health care operations.
This rule does not apply in the following circumstances:
- When the individual requests that a disclosure be made to a third party
- When the individual requests access to his or her own health information
- For enforcement of the rule
- Made by a covered health care provider to a covered health plan for audit and related purposes
- When required by law and permitted in section 164.510.
We believe that the only appropriate exception to the minimization requirement is when an individual requests access to his or her own information. In all other circumstances, the minimization requirement should apply for all uses and disclosures.
We recognize, however, that because the proposed rule only covers certain entities, it may not always be possible for the covered entity to make a determination as to what information is necessary to accomplish the purpose of the disclosure. In some circumstances - such as health care oversight - there may even be a conflict of interest in disclosing the data.
The proposed rule resolves this tension by exempting certain activities from the minimization requirement. These exceptions, however, are particularly broad, particularly with regard to disclosures allowable under section 164.510. In practice, it would mean that a large number of uses and disclosures would not be subject to the minimization requirement. These activities include health oversight, law enforcement, directory information, judicial and administrative proceedings, research, next-of-kin, and many others.
Our comments identify those areas where we feel that the minimization requirement is
appropriate and should be applied in the context of the proposed regulation. We still believe, however, that a universal minimization requirement is essential, and should be enforced through a comprehensive federal health privacy law.
Finally, our comments identify circumstances where we believe that the entity requesting information should be held to a minimization standard. In these cases, the disclosing entity could rely on the decision of the requesting entity, without losing accountability.
Note: The proposed rule establishes the general minimization requirement in section 164.506 (b) (1) and includes a list of exceptions. In our comments we do not suggest amending this section, but adding additional requirements to the individual sections included as exceptions to the minimization requirement. However, the same result could be achieved by narrowing the exceptions to the minimization rule outlined in section 506 (b) (1).
1. Duty to Request The Minimum Necessary
Recommendation:
Where the disclosing entity does not have the ability to determine the minimum amount necessary, the covered entity requesting the information should only be permitted to request the minimum amount necessary to accomplish the purpose of the disclosure.
Rationale:
There are a number of circumstances where the entity disclosing data is expected to assume that the amount requested in the minimum amount necessary. There is no requirement in the proposed rule, however, for the entity requesting data to request only the minimum amount necessary. In such circumstances, therefore, there will be no guarantee that the minimum amount of information will be shared.
The proposed rule should address this issue by requiring that the entity requesting data - if they are a covered entity - be required to request only the minimum amount necessary to accomplish the purpose of the disclosure.
2. Disclosures at The Individual's Request
Recommendation:
When a covered entity discloses protected health information at the individual's request, they should limit the disclosure to the minimum amount necessary, unless the individual has indicated otherwise.
Rationale:
The proposed regulation distinguishes between an authorization made at the request of an individual, and an authorization made at the request of a covered entity. If the individual makes the request, the covered entity is not bound to the general minimization requirement. In practice, then, a covered entity could disclose more information than the individual intended.
We believe that the minimization requirement should be extended to circumstances when the individual requests a covered entity to make a disclosure. If the individual wants all protected health information released, that can be specified in the authorization.
3. Judicial And Administrative Proceedings
Recommendation:
Where a request for protected health information is not accompanied by a court order, the covered entity should only be permitted to disclose the amount of information requested.
Rationale:
The proposed rule specifies that in the case of judicial and administrative proceedings, "[w]here the request for disclosure of protected health information is accompanied by a court order, the covered entity may disclose only that protected health information which the court order authorizes to be disclosed." Section 164.510 (d) (3) (i). However, if the request is not accompanied by a court order there is no requirement that only the amount requested be disclosed. We believe that only the amount reasonably necessary to respond to the request should be disclosed.
4. Law Enforcement
Recommendation:
Sections 164.510 (f) (3 and 5) should be revised to ensure that these disclosures are limited to the minimum amount necessary to accomplish the purpose of the disclosure.
Rationale:
The proposed rule somewhat limits the amount and type of information available to law enforcement. There are some circumstances, however, where law enforcement officials would have access to all parts of the medical record, without a meaningful review process.
Law enforcement access to protected health information for information about a victim of crime or abuse, and for health care fraud, should be subject to the minimum amount necessary to accomplish the purpose of the disclosure.
5. Next of Kin
Recommendation:
Disclosures to next of kin should be restricted to the minimum amount necessary to accomplish the purpose of the disclosure, and restricted to information relevant to the current medical condition.
Rationale:
The proposed rule allows for disclosures to next-of-kin if the individual has verbally agreed to the disclosure. There is no guidance, however, as to how much, or what kind of information can be disclosed. Since the agreement in this instance will be a verbal agreement, it is especially important to insure that only the minimum amount of information necessary is disclosed, and only that information relevant to the current medical condition.
In other words, the verbal agreement to disclosure to next of kin should be understood to mean information about the present medical condition at issue, unless the individual has given specific permission to disclose additional information.
This approach was taken in some of the comprehensive health privacy bills considered in the 106th Congress. S. 578, co-sponsored by Senators Jeffords (R-VT) and Dodd (D-CT), for example, allows information to be shared with next of kin if "the information disclosed related to health care currently being provided to that individual." S. 578 § 204 (a) (2).
6. Limit Section 164.510 Disclosures to Amount Requested
Recommendation:
When a covered entity discloses protected health information pursuant to section 164.510, they should be prohibited from disclosing information in excess of the information requested.
Rationale:
We agree that it will sometimes be impracticable for covered entities to determine the minimum amount necessary for the disclosures identified in section 164.510. However, when the covered entity discloses information pursuant to section 164.510, they should only be permitted to disclose the amount of information requested. In Maine, for example, the relevant state law requires that "a health care practitioner or facility that discloses health care information... may not disclose information in excess of the information requested in the authorization." Me Rev. Stat. tit. 22 sec. 1711- C , subsec. 10 as amended by 1999 Me. Laws 512 sec. Ax 5. Where authorization is not required (including disclosures pursuant to subpoenas), the entity "may not disclose information in excess of the information reasonably required for the purpose for which it is disclosed." Id.
RIGHT TO REQUEST RESTRICTIONS
Section 164.506(c) Standard: right of an individual to restrict uses and disclosures.
Summary
We support the general idea behind the regulations' granting individuals the right to request restrictions on the uses and disclosures of protected health information. There are many circumstances where an individual has a legitimate concern that the disclosure of protected health information will result in personal harm or discrimination. Imposing a restriction on the disclosure of protected health information can help alleviate these potential problems. We believe, however, that the right to request a restriction does not adequately address these concerns. The regulations should provide more protection for individuals.
We suggest that the regulations be amended in the following ways:
i. Allow individuals to have a true right to restrict (not just the right to request restrictions on) the use and disclosure of their protected health information where the disclosure of that information could jeopardize the safety of the individual.
ii. Allow individuals who pay for their own medical care (self pay) to have a true right to restrict the disclosure of their protected health information.
iii. Extend the application of this section to all covered entities.
iv. Require all covered entities that receive health care information that is subject to a restriction agreement to comply with the restriction.
1. A True Right to Restrict
Recommendation:
The regulations should include a new provision specifying that individuals have a right to restrict the use and disclosure of their protected health information (not subject to the approval of a covered entity) where the disclosure of such information could jeopardize the safety of the individual.
Rationale:
Victims of domestic abuse need to be able to place restrictions on the use and disclosure of their protected health information even for treatment, payment and health care operations purposes. Victims of abuse need to know that their health information and their whereabouts will be fully protected in order to access health care safely. It is essential that a victim who has fled an abuser not be found because a provider or insurer gives the batterer the victim's new address, either directly or through the mailing of an explanation of benefits form. A victim's right to restrict the disclosure of protected health information should not be dependent on the agreement of a health care provider, who may underestimate the severity of the danger. Failing to give victims of abuse a true right to limit disclosures of information, where the disclosure would endanger their safety, will undermine the efforts of the health care community to serve victims of abuse and deprive them of necessary care and assistance.
HIPAA recognizes the special needs of victims of domestic violence by specifically including conditions resulting from abuse as a prohibited underwriting consideration. The draft regulations also recognize the need of victims of abuse for special protection against the disclosure of their
whereabouts by providing protection against such disclosures in the section 164.510(h) relating to directory information and discussion at page 59965. However, as discussed above, the confidentiality needs of victims of abuse extend beyond the need to limit directory information.
Granting individuals the true right to restrict the disclosure of their protected health information to protect their safety is not a novel concept. The 1998 Health Information Privacy Model Act adopted by the National Association of Insurance Commissioners (NAIC) takes this approach. See Health Information Privacy Model Act, sec. 14.A. The NAIC, the association of state insurance regulators, adopts model laws only after obtaining extensive input from all interested parties. In the case of this privacy model, the NAIC deliberated over several years, holding numerous meetings at which insurers and consumers provided extensive comment and engaged in lengthy negotiation. This model and the particular provision which we ask the Secretary to include in the regulations can therefore be considered to be the result of a consensus, to which numerous participating health plans and members of the insurance industry agreed. We suggest that the Secretary adopt the approach taken by NAIC's Model Act.
Specifically, we recommend that the Secretary add the following subsection to section 164.506:
Standard: Right of an individual to restrict the use and disclosure of protected health information where disclosure could jeopardize the safety of the individual.
(a) An individual has the right to restrict the disclosure of his or her protected health information by communicating in writing to a covered entity that the safety of the individual could be jeopardized by:
(1) disclosures to specified individuals ; or
(2) contacting the individual in specified manners.
(b) A covered entity may not disclose protected health information inconsistent with the restriction under paragraph (a) of this section. Such restrictions may include, but are not limited to, prohibiting the release of any information to a spouse to prevent domestic violence, and restrictions on the mailing of appointment notices to the individual's home, calling the home to confirm appointments, and mailing an explanation of benefits to the individual or to the policyholder. If the individual places restrictions on the manner in which the covered entity may communicate with the individual, the covered entity may ask the individual to provide a phone number or an address for such communications and may require the individual to indicate how payment will be arranged if payment is due.
2. Self-paying Individuals
Recommendation:
We believe that the right to request restriction agreements should continue to be available to all individuals. In addition, the regulations should include a new provision specifying that an individual who pays a health care provider directly for health care services has the right to restrict the use and disclosure of health care information related to such services, and that such right is not subject to the approval of the health care provider.
Rationale:
The Secretary has indicated that she considered limiting the right to request restrictions on disclosures to patients who pay for their own health care. 64 Fed. Reg. 59946. At a bare minimum, we believe that all individuals, not just those who self-pay, should have a right to request restrictions.
Additionally, we believe that individuals who self-pay should have the true right to restrict the use and disclosure of their protected health information. Some individuals have opted to pay for treatment for certain medical conditions themselves rather than take the risk that their insurance company or their employer will learn of these conditions and take adverse actions against them. This approach, while not ideal, allows people to get the treatment they need while controlling the possibility of discrimination based on health condition. We believe that individuals who self-pay for their health care should have the ability to control the use and disclosure of the related health information. This is particularly true in a regulatory system such as the one proposed that would allow an individual's health information to be freely used for the treatment and payment of others.
We propose that the regulations include a new provision that allows patients who self-pay for their health care to restrict the use and disclosure of the related health care information. The decision to restrict should be made solely by the individual and should not be subject to the agreement of the health care provider. The ability to restrict disclosures for payment is a natural consequence of self-paying. We believe an individual should also be able to restrict the use and disclosure of protected health information for treatment purposes given the Secretary's intention that information generally may be used for treatment of all individuals without the subject's consent.
Hawaii, which recently enacted a comprehensive privacy of health care information law, adopted this approach and allows individuals who self-pay to restrict the disclosure of their health care information. See Haw. Rev. Stat. § 323C-21(c). We suggest that the Secretary adopt the approach taken by Hawaii's health privacy law and add the following subsection to section 164.506 :
Standard: Right of an individual to restrict uses and disclosures of protected health information related to health care services paid for directly by the individual.
If an individual does not want protected health information used or disclosed for the purposes of treatment, payment, or health care operations, the individual shall advise the health care provider prior to the delivery of services that the relevant protected health information shall not be disclosed for these purposes pursuant to section 164.506(a)(1)(i), and the individual shall pay the health care provider directly for health care services. Protected health information related to health care services so identified and paid for directly by the individual shall not be disclosed for purposes of treatment, payment, or health care operation purposes without the individual's authorization.
3. Application to All Covered Entities
Recommendation:
We urge the Secretary to expand the application of this section to all covered entities.
Rationale:
As discussed above, we believe that individuals should have a true right to restrict the disclosure and use of their protected health information in certain circumstances. Whether the Secretary adopts our suggested approach or maintains the current regulatory framework of only allowing individuals to request restrictions on disclosures, we believe, at a minimum, that the restriction requirements should apply not only to health providers, as currently specified in section 164.506(c)(1)(i), but also to health plans.
The disclosure of protected health information may pose a harm to the individual, regardless of the source of that disclosure. There are circumstances in which it is appropriate to request not only a health provider but also a health plan to restrict disclosures of protected health information. In light of NAIC's 1998 Health Information Privacy Model Act it appears the health insurance industry and the NAIC have already reached a consensus that health plans may be required to restrict the disclosure of health information.
4. The Restriction Should Follow The Protected Health Information
Recommendation:
Require all covered entities that receive health care information that is subject to a restriction to comply with the restriction.
Rationale:
Under the proposed regulations, it appears that only the original health care provider is required to comply with the restriction agreement. See 164.506(c). Although the covered entity entering into such an agreement is required to notify those to whom such information is disclosed of such restriction there is no requirement that a covered entity receiving the information comply with the restriction. § 164.506(c)(2)(iv). A restriction that does not follow the information would be of limited value. The Secretary clearly has the authority to impose a duty to comply with the restriction on a covered entity receiving such information. We recommend that such a provision be added to the regulations.
BUSINESS PARTNERS
Section 164.506(e) Standards: business partners.
Recommendation:
We oppose the requirement that covered entities be accountable for the uses and disclosures of protected health information by their business partners.
Rationale:
ANA understands the attempt to fill a gap in authority by extending the standards to covered entities' business partners through contracts. However, this requirement that health care providers police others, whose behavior they cannot control, is inherently unfair. The fact that there is insufficient statutory authority to apply the regulation to all entities who should be covered is not a acceptable reason for "kicking it to fit," at the expense of practitioners who cannot reasonably carry the required burden and should not be required to. Covered entities may be required to select reputable business partners, to disclose information to them in a responsible manner, and may even have contracts that specify the expectation that the business partner will comply with the requirements of the law. But the covered entity's liability should end there; practitioners cannot control all acts of their business partners. If a business partner violates the requirements of the proposed regulations, the covered entity may not be in a position to mitigate the violation or terminate the contract as required under the proposed regulations. If a business partner violates its contract with a covered entity, the covered entity should be shielded from any liability for the inappropriate use or disclosure of protected health information.
ANA believes that this problem demonstrates the need for comprehensive Federal legislation on the entire issue of health care privacy and confidentiality. A requirement under HIPAA for regulations to safeguard electronic records is simply too thin a basis for properly addressing this most complex and vexing issue. Federal law should mandate that the privacy of the health information is the responsibility of any entity handling the information in the course of business..
Business partners are often larger and more sophisticated than many practitioners with which they have relationships. The business partner arrangement does not adequately address the current complexity of health care. Arrangements are not only made among providers, patients, and payers but among a whole host of other entities such as pharmacy benefits management organizations and home health companies. To categorize these relationships and corporate networks as business partners implies a degree of autonomy that simply no longer exists and ignores the intricacies involved. These relationships are more likely to be the product of giant corporations and not contractual agreements whereby providers elect to outsource administrative tasks.
ADHERENCE TO NOTICE
Section 164.506(g) Standard: uses and disclosures consistent with notice.
Recommendation:
We support the regulations' requirement that covered plans and providers adhere to the statements reflected in the notice of information practices.
Rationale:
Such a notice is meaningless if a covered entity does not actually follow the practices outlined in its notice. Many of our members work have experience with organizations that have written policies and procedures governing the confidentiality of occupational health records. Despite that, there are instances in which the organization fails to follow those policies. A statute giving legal weight to existing policies would help alleviate this situation.
COMPONENT ENTITIES
Section 164.506 Uses and disclosures of protected health information: general rules.
We urge the Secretary to amend the proposed regulation to expressly provide that, with respect to persons or organizations that provide health care or have created health plans but are primarily engaged in other unrelated activities, the term "covered entity" encompasses only the health care component of that entity. She also should add language to the regulation itself making it clear that effective fire walls must be set up between the health care component units of an employer (e.g., the employee health benefits plan administrative group and the occupational health department) and the rest of the company so that protected health information cannot fall into the hands of personnel responsible for making job determinations.
INDIVIDUAL AUTHORIZATION
Section 164.508 Uses and disclosures for which individual authorization is required.
SUMMARY
We support the regulations' requirement that covered entities obtain an authorization from the individual for most uses and disclosures that are not directly related to treatment, payment or health care operations. We strongly agree with the regulation's prohibiting covered entities from conditioning the provision of treatment or payment on the individual's delivering an authorization for use or disclosure. Furthermore, we support the Secretary's intent that uses and disclosures of protected health information be consistent with the purposes stated in the authorization, and we suggest that the regulations be revised to expressly provide that a covered entity and its business partners may use or disclose protected health information only for the purpose specified in the authorization. We also recommend that covered entities be required to obtain individual authorization prior to making certain disclosures of information pertaining to an individual's request or receipt of sensitive health services.
1. Individual Authorization For Purposes Other Than Treatment, Payment or Health Care Operations
Recommendation:
We encourage the Secretary to retain provisions of the proposed regulations that require covered entities to obtain an authorization from individuals for most uses and disclosures of protected health information that are not directly related to treatment, payment, or health care operations.
Rationale:
We agree with the Secretary that most individuals do not anticipate many other uses of their health information, such as marketing purposes, when they obtain health care. Furthermore, information which is being used or disclosed for purposes other than the core health-related purposes is more likely to end up in the hands of entities that are not subject to the protections afforded by the regulations. Thus, it is appropriate that the individual be both notified and consent to the potential use and disclosure of protected health information for these purposes. The requirement for individual authorization for uses of health information not directly related to the care of the patient is supported by state law. See 1999 Cal Stats. ch. 526 sec. 2 (generally requiring a patient's authorization for sharing, selling or using medical information for any purpose not necessary to provide health care services to the patient); Haw. Rev. Stat. §323C-23 (requiring a separate authorization for disclosures of health information other than for treatment, payment or qualified health care operations purposes).
2. Prohibition on Conditioning Treatment or Payment on Authorization
Recommendation:
We strongly support the regulations' prohibition on covered entities from conditioning the provision of treatment or payment on the individual's authorization for use or disclosure of protected health information.
Rationale:
Covered entities should not be allowed to coerce individuals into signing authorizations for disclosures that are not necessary for treatment, payment or health care operations. Recognizing this potential abuse, California prohibited such coercive activities in its recent amendments to the Confidentiality of Medical Information Act. See 1999 Cal. Stats. ch 526 sec. 9 (prohibiting providers and plans from conditioning the receipt of health care services on the individual's signing an authorization or release of medical information).
3. Use And Disclosure Should Be Limited to The Purpose Specified in The Authorization
Recommendation:
The regulations should expressly provide that a covered entity and its business partners may only use or disclose protected health information for the purpose specified in the authorization.
Rationale:
Under the proposed regulations, when a covered entity asks an individual to sign an authorization, it must provide on the authorization form a statement that identifies the purposes for which the information is sought. The preamble states that "[c]overed entities and their business partners would be bound by the statements provided on the authorization, and use or disclosure by the covered entity inconsistent with the statement would constitute a violation of this regulation." It appears that this intended requirement was not incorporated in the actual text of the regulations.
Section 164.506 (a)(1)(ii) generally provides that a covered entity is permitted to use or disclose an individual's protected health information "pursuant to an authorization by the individual that complies with §164.508," but does not expressly impose a requirement that the covered entity use or disclose the information solely in accordance with the purposes stated in the authorization. Neither does section 164.508 have such an express requirement. In order to avoid any possible ambiguity, we suggest that the regulations expressly provide that covered entities and their business partners may only use or disclose protected health information for the purpose specified in the authorization.
4. Separate Authorization For Specific Disclosures of Protected Health Information Involving Sensitive Health Care Services
Recommendation:
The regulations should require a covered entity to protect against inadvertent disclosures of protected health information concerning sensitive health care services (defined as services relating to reproductive health, sexually transmitted diseases, substance abuse, and mental health) by obtaining the individual's authorization prior to communicating with the individual (or the policyholder) at the individual's home (whether by phone or by mail).
GOVERNMENTAL HEALTH DATA SYSTEMS
Section 164.510(g) Disclosures and uses for governmental health data systems.
Summary
We understand the need of legitimate governmental health data systems for patient information. We are concerned, however, that the current language of the regulations would permit disclosure of protected health information for purposes wholly unrelated to health care. We are also concerned that, due to the limits of HIPAA, governmental health data systems are not subject to the current privacy regulations. We urge Congress to take action to a close this gap in the protection afforded to identifiable health information.
1. The Scope of Permissible Purposes
Recommendation:
Section 164.510(g) should be amended to permit disclosures only to governmental health data systems that collect health data for health care related purposes.
Rationale:
In the preamble, the Secretary explains that she proposes to permit covered entities to disclose protected health information for inclusion in State or other governmental health data systems when such disclosure is authorized by law for analysis in support of policy, planning, regulatory and management functions. 64 Fed. Reg. 59964. The Secretary then explains that she "believe[s] that Congress intended to permit States . . . To operate health data collection systems for analyzing and improving the health care system." Id. (Emphasis added.) We believe that allowing disclosures for these limited purposes is the correct approach. The draft regulations, however, do not carry out the Secretary's apparent intent to limit disclosures to government health data systems who will use the data for health care (or health care system) purposes.
Section 164.510(g) allows a covered entity to "disclose protected health information to a government agency, or a private entity acting on behalf of a government agency, for inclusion in a governmental health data system that collects health data for analysis in support of policy, planning, regulatory, or management functions." (Emphasis added.) The type of policy, planning, regulatory or management function is not at all qualified or limited by the regulation. The unqualified language of the proposed regulation is so broad as to allow disclosure to countless federal and state agencies with no direct health responsibilities. For example, the police could qualify to obtain all identifiable patient data for a database designed to help the police make decision about management of the use of police resources near a health care facility. This regulatory provision, which grants free access to protected health information, should not create a mechanism whereby government agencies can effectively circumvent the standards that they would otherwise have to meet to obtain this protected information.
To alleviate this potential problem, section 164.510(g) should amended as follows:
(g) Disclosures and uses for governmental health data systems -
(1) A covered entity may disclose protected health information to a government agency, or private entity acting on behalf of a government agency, for inclusion in a governmental health data system that collects health data for analysis in support of health care related policy, planning, regulatory, or management functions authorized by law.
(2) Permitted uses. Where a covered entity is itself a government agency that collects health data for analysis in support of health care related policy, planning, regulatory, or management functions . . .
2. Scope of The Regulations
Recommendation:
Congress should enact comprehensive health privacy legislation applying to all entities that generate, receive or transfer protected health information.
Rationale:
Under the terms of HIPAA, these privacy regulations may only apply to health plans, certain health providers, and health care clearinghouses. Governmental health data systems do not fall in any of these categories and therefore are not subject to the restrictions contained in the proposed regulations. These systems collect a wealth of protected health information and should be subject to federal protections. We recognize that the Secretary can not currently act in this area and we urge Congress to pass legislation closing this gap in coverage.
DIRECTORY INFORMATION
Section 164.510(h) Disclosures of directory information.
We support the general rule that health care providers may disclose protected health information for directory purposes only where the individual has agreed to such disclosure. We encourage the Secretary to change the language of the preamble to clarify the that minors who lawfully obtain health care services without parental involvement have the right to decide whether their information may be released for directory information purposes.
Recommendations:
- Delete from the preamble discussion of the next-of-kin section (page 59973) the following statement: "The proposed definition of 'individual' addresses related disclosures regarding minors and incapacitated individuals."
2. Add to the preamble at page 59935 the following explanation:
c. Disclosures pertaining to minors. In general, because the definition of individual would include parents, a parent, guardian, or person acting in loco parentis could exercise the rights established under this regulation on behalf of their minor (as established by applicable law) children. However, in cases where a minor lawfully obtains a health care service without the consent of or notification to a parent, the minor would be treated as the individual for purposes of exercising any rights established under this regulation with respect to protected health information relating to such health services. For example, a minor who lawfully obtains a health care service without parental involvement would have the rights of the "individual," guaranteed under sections 164.510(h) and 164.510(l), to agree or object to the release of directory information or disclosures to next-of-kin pertaining to care received without parental involvement. . . .
Rationale:
It is our understanding that the definition of "individual," including its treatment of minors, applies throughout the rule wherever the term "individual" is used. We are concerned, however, that one isolated reference in the preamble (page 59973) to the applicability of the definition of "individual" in one specific context may raise the inference that this definition may not apply in other contexts. As a result, we recommend that this one statement in the preamble be deleted and that the preamble include the explanatory language above.
BANKING AND PAYMENT PROCESSES
Section 164.510(j) Disclosures for banking and payment processes.
The draft regulations provide that only the minimum amount of protected health information necessary be used or disclosed to complete a banking or payment activity. We believe that this is the correct approach. Additional information is not needed for these purposes. However, since banks and financial institutions fall outside the scope of these regulations, we urge Congress to pass comprehensive health privacy legislation that limits the uses and further disclosures of even this minimal amount of protected health information by financial institutions.
With the growing ability to manipulate data through computerization, we are concerned that financial institutions may use even this minimal protected health information for making financial decisions. For instance, a financial institution may be able to identify an individual who has paid for treatment by an oncologist and deny the individual a mortgage based on that information. We realize that financial institutions are beyond the scope of the Secretary's authority, and that only Congress can impose restrictions on the uses that a financial institution can make of protected health information obtained through the payment process.
ADDITIONAL USES AND DISCLOSURES REQUIRED BY OTHER LAW
Recommendation:
In Section 164.510(n), HHS allows covered entities to use or disclose protected health information if such use or disclosure is not addressed elsewhere in Section 164.510, is required by other law, and the disclosure meets all the relevant requirements of such law. An area that is not addressed elsewhere where disclosure is required by other law is the legal obligation of covered entities to disclose information to the collective bargaining representative of their employees. It should be clarified that this legal obligation of covered entities, as regulated employers, is a permitted use and disclosure without individual authorization. We recommend the following addition at the end of Section 164.510(n):
An example of such permitted uses and disclosures is the obligation of covered entities under the National Labor Relations Act, 29 U.S.C. §§ 151 et seq., or state or local collective bargaining laws, to disclose information to the collective bargaining representatives of their employees when such information has been requested by the union to meet its representational responsibilities.
Rationale:
The National Labor Relations Act (NLRA), 29 U.S.C. §§ 151, et seq. provides private sector employees with the right to organize and bargain collectively with their employers and governs the relationship between private employers and the representatives of their non-supervisory employees. An employer who is covered by the NLRA is required to bargain with the representative chosen by its employees with regards to the terms and conditions of employment, including the circumstances under which discipline may be imposed by the employer against a member of its workforce. As recognized by the Supreme Court, employers are obligated under the NLRA to comply with a collective bargaining representative's request for information relevant to these statutory responsibilities. The standard of relevance for this purpose is a liberal "discovery-type" standard. See N.L.R.B. v. ACME Industrial Co., 385 U.S. 432, 435-36 (1967). Various states and local jurisdictions have similarly enacted collective bargaining statutes and ordinances in order to provide public sector employees with the right to organize. In many regards, these laws follow these principles of the NLRA.
The National Labor Relations Board (NLRB) has addressed on several occasions the issue of whether an employer must provide the collective bargaining representative requested confidential patient information. The Board has developed a balancing of interests' test. See e.g. Howard University, 290 N.L.R.B. 1006 (1988). Under that test, the Board has held, for example, that "when a dispute arises concerning the discipline of nurses for errors in patient care, and where a particular portion of a patient's chart would be relevant to a grievance concerning such discipline, either to win the grievance or to dissuade the employee from taking her case to arbitration, that the Union's right to such information must outweigh the patient's right of privacy." LaGuardia Hospital-H.I.P. Hospital, Inc. and LaGuardia Association for Registered Nurses, 260 N.L.R.B. 1455, 1982 NLRB LEXIS 981, *42 (1982). However, the Board has limited disclosure of confidential information to that relevant to the matter in dispute and has restricted the union from divulging the information received to only those persons involved in or necessary to the resolution of the dispute in question.
Given the sometimes contentious nature of employer-employee relations and the developed body of law in this area, it is particularly important for HHS to explicitly state that disclosure in accordance with the NLRA and other collective bargaining laws is not unlawful under the proposed rule.
NOTE: The above discussion should also be labeled: "Relationship to State laws" and "Relationship to other federal laws."
ACCESS FOR INSPECTION AND COPYING
Protecting Minors and Other Vulnerable People from Harm
Out of concern for protecting minors (as well as older people, incapacitated or incompetent people, and others) from abuse by their parents, guardians, or other legal representatives, we suggest that the rule vest covered entities with broader discretion to deny access to protected health information in certain circumstances.
Section 164.514(b)(i) of the proposed rule permits a covered entity to deny an individual access to protected health information whenever:
(i) A licensed health care professional has determined that, in the exercise of reasonable judgment, the inspection and copying requested is reasonably likely to endanger the life or physical safety of the individual or another person. (page 60060)
The Department offers compelling reasons for permitting a denial of access only in the narrow circumstances when a person's life or physical safety would otherwise be at risk, but these reasons pertain only to a situation in which the individual requesting access is also the subject of the protected health information. Thus, the Department cites the example of a health care provider who reasonably determines that certain information about a suicidal or homicidal individual should be withheld from that individual to avoid triggering violence. The Department notes, however, that the presumption in favor of access is so strong when an individual seeks health information about him- or herself that the risk of psychological or emotional harm should not be enough to justify a denial of access.
The balance shifts, however, when a person -- acting as a parent, guardian, other person acting in loco parentis, or legal representative, in accordance with section 164.504 -- seeks access to the protected health information of another. In that case, the imperative is to protect the life, physical safety, and emotional and psychological safety of the vulnerable person who is the subject of the protected health information. Thus, health care professionals who treat victims of child abuse, elder abuse, and other forms of domestic violence should have broad discretion to withhold information about these individuals from those who the professional reasonably believes may harm the patient. Such discretion is especially critical when the patient has revealed the abuse and physical or emotional retaliation by the abuser is a real possibility.
As we read the proposed rule, this situation is not covered by section 164.514(b)(ii), which allows a covered entity to deny access whenever:
(ii) The information is about another person (other than a health care provider) and a licensed health care professional has determined that the inspection and copying requested is reasonably likely to cause substantial harm to such other person.
The Department's explanation of this provision suggests that it governs access to the individual's own health information when that information makes reference to another person. As explained in the preamble (p. 59982), the Department's particular and legitimate concern seems to be the situation in which "[i]nformation about a third party may appear in an individual's records unbeknownst to the individual," and an unauthorized disclosure about this third party should be avoided if it threatens harm.
To differentiate among these three situations, and to provide appropriate discretion to deny access in each one, we recommend the revision of subsections 164.514(b)(i) and (ii) and the addition of a new section (iii), as shown below.
Proposed language:
1. Revise sections 164.514(b)(i) and (ii) and add a new section (iii):
(b) . . . [A] covered entity may deny a request for access under paragraph (a) of this section where:
(i) The individual seeking access is the subject of the protected health information, and a licensed health care professional has determined that, in the exercise of reasonable professional judgment, the inspection and copying requested is reasonably likely to endanger the life or physical safety of the individual or another person;
(ii) The individual seeking access is the subject of the protected health information, but that the information makes reference to is about another person (other than the individual's a health care provider), and a licensed health care professional has determined that, in the exercise of reasonable professional judgment, the inspection and copying requested is reasonably likely to cause substantial harm to such other person;
(iii) The individual seeking access is not the subject of the protected health information but is instead a parent, guardian, person acting in loco parentis, or legal representative, in accordance with section 164.504, and a licensed health care professional has determined that, in the exercise of reasonable professional judgment, the inspection and copying requested is reasonably likely to cause harm to the person who is the subject of the protected health information or to another person.
(The other subsections of section 164.514(b) would have to be renumbered accordingly.)
Our suggested revisions and addition are meant to clarify the rule and to provide essential extra protection to those vulnerable people who depend on others to exercise their rights under the rule, but who must be shielded from abuse by those who are given the power to act in their stead.
ACCOUNTING OF DISCLOSURES
Section 164.515 Accounting for disclosures of protected health information.
We commend the Secretary for granting an individual the right to obtain an accounting of disclosures that have been made of protected health information. An individual should be able to find out who has seen their health information and for what purpose. We believe this right of access should extend to a full audit trail where one exists.
Recommendation:
Individuals should have the right to review the full audit trail documenting who has had access to their protected health care information.
Rationale:
The proposed Security Standards would require covered entities to put into place audit trails as a means of policing access to the protected health information maintained in their systems. To the extent a full audit trail documenting who has had access to an individual's protected health information exists, it should be made available to the individual upon request. This practice is useful in detecting alleged violations of confidentiality. The provision of a full audit trail can also help reduce patients' suspicions and provide the motivation for organizations to develop strong measures for protecting patient information. National Research Council, For the Record: Protecting Electronic Health Information (1997) pp. 137-138.
The proposed regulations would only provide access to a small portion of an audit trail, i.e., those disclosures made by a covered entity for purposes other than treatment, payment, and health care operations. The regulations take this approach on the grounds that this is the portion that most people would be interested in and that to provide for a full accounting would be burdensome. We disagree with this rationale. Since the audit trail will already exist for electronic records it would be fairly easy to provide upon request. Furthermore, the individuals who would have an interest in reviewing this information would need to review the full audit trail, not just that portion that pertains to information that is shared with persons outside the covered entity for purposes other than treatment, payment and health care operations. The source of an improper disclosure of or unauthorized access to protected medical information is just as likely to be within a covered entity. (A recent example is the Emory University nurse who claims she was terminated after her supervisor improperly accessed her medical records without her consent and discovered she was suffering from depression.)
We are particularly concerned about the interrelation of the accounting provisions with the provisions allowing (or requiring) disclosures of protected health information without individual authorization for treatment, payment and health care purposes. See section 164.506. By prohibiting the use of authorizations for treatment, payment and health care operations, the draft regulations allow the free-flow of health information for these purposes without any input from the individual. By excluding disclosures made for treatment, payment and health care purposes from the accounting provisions, the regulations also take away from the individual the mechanism by which the individual could verify that there has not been an abuse of this free-floating system. Essentially, the regulations allow this protected health information to be used and disclosed for treatment and payment purposes without any accountability to the individual who is the subject of the information. We believe such a system is woefully inadequate.
AMENDMENT OR CORRECTION
Section 164.516 Amendment and correction.
Summary
The proposed regulations rightly provide an individual with the right to request an amendment or correction of health information. This is an important consumer right which allows an individual to ensure that recorded health information which is relied on not only for treatment purposes, but also for insurance and other purposes, is complete and accurate. However, we believe that the regulations should more closely follow the rights afforded in other federal privacy statutes such as the Privacy Act and the Fair Credit Reporting Act.
1. Grounds for Denial
Recommendation:
A covered entity should not be allowed to deny a request for amendment or correction solely on the basis that it did not create the information.
Rationale:
The proposed regulations permit a covered entity to deny a request for amendment or correction on the grounds that the information was not created by the covered entity. The effect of this regulation is that only the creator of the health information in dispute has an obligation to correct or amend it. We note at the outset that no such restriction is imposed in other laws based on fair information practices such as the Fair Credit Reporting Act or in the Uniform Insurance Information and Privacy Protection Act. There is no need for such a requirement in the present regulations.
Furthermore, the proposed regulation fails to take into account the fact that there may come a time when the creator of the information, the only entity responsible for making corrections, ceases to exist. For instance, in recent years, many health maintenance organizations have gone out of business. The right of the individual to have health information corrected should not be extinguished with the demise of the creator of the information. (Of course, this scenario raises the larger question of how to assure continuity of care and record maintenance, which we understand is probably beyond the scope of the current regulations.) If a covered entity is able to determine the accuracy or completeness of health information from the materials provided, the entity should make the correction or amendment. The provision that allows a covered entity to deny a request to amend solely on the basis that the entity did not create the information should
be deleted. Recognizing that there will be times that a covered entity may not be able to verify the accuracy of a requested correction or amendment, we suggest that the language of Sec. 164.516(i) be amended as follows:
Was not created by the covered entity and the covered entity cannot reasonably determine whether the information is accurate or complete.
2. Business Partners' Duty to Amend
Recommendation:
The regulations should provide that the written contract between a covered health provider or health plan and a business partner must require the business partner to correct or amend protected health information in accordance with section 164.516.
Rationale:
Section 164.516(a)(1) of the proposed regulations grants an individual the right to request a covered entity that is a health plan or health care provider to amend or correct protected health information. The regulation then allows a covered entity to deny a request for amendment or correction on the grounds that the information was not created by the covered entity. Section 164.516(a)(2). A problem arises when an error occurs at a business partner, such as a billing service. For instance, a business partner can erroneously code an individual's health information. When the error occurs at the business partner no covered entity "created" the erroneous information. The health provider's information is accurate so it can deny the request to amend or correct. The health plan did not create the erroneous information so it also has grounds to deny the request to correct. And the business partner is not a covered entity and is not encompassed by section 164.516(a). This regulatory scheme effectively creates a gap in an individual's right to have erroneous health information corrected.
The current provisions of section 164.506(e) do not remedy this situation. Under the proposed regulations, a covered entity's contract with a business partner must contain a clause requiring the business partner to incorporate any amendments or corrections to protected health information made by a covered entity when notified of the changes. However, there is no requirement that a business partner correct or amend protected health information where the business partner creates the erroneous health information in the first instance. In order to eliminate this potential gap, the covered entity's written contract should require business partners to correct or amend information at the individual's request pursuant to section 164.516. As a practical matter, individuals have frequent contact with some business partners, such as billing services. The billing service is often given as the point of contact on a patient's bill from a health care provider. It makes sense for the patient to be able to request the business partner, such as the billing service, to correct erroneous information it generated. Since the regulations can not impose this requirement directly on business partners, they should do so indirectly through the covered entity's contractual provisions.
TRAINING - Section 164.518(b)
We support the requirement for privacy training for all employees in a covered entity's workforce who are likely to obtain access to protected health information. However, we are concerned about the adequacy of the training requirement for covered entities that are component units of larger organizations since fire walls cannot be effectively implemented without training some personnel outside the component unit covered entity. The Secretary recognized this fact in her drafting of the safeguard provisions in Section 164.508(c) but failed to include the concept in her drafting of the training provisions. Accordingly, we urge the Secretary to modify the training provision to expressly require periodic privacy training for appropriate management personnel assigned outside a component unit covered entity.
SAFEGUARDS
Section 164.518(c) Safeguards.
Summary
We strongly agree with the proposed regulations' requiring covered entities to put into place administrative, technical, and physical safeguards to protect against the improper use or disclosure of protected health information. Procedures for verifying the identity of a person or organization that requests information would help prevent improper disclosures. We believe that the verification requirement should apply to all requests for health information originating outside of the covered entity where the covered entity does not regularly do business with the requesting entity. We also support the general requirements of the internal complaint process. Specifically, we agree that it is important that the covered entity must keep a record of the complaints with a "brief explanation of the resolution." We also support the regulatory scheme that allows a complaint to be filed with the Secretary at any time, even if an internal complaint is pending. However, we believe that it is important to provide a time limit and other specific procedures for implementing the internal complaint procedure.
Whistleblowers, Section 164.518(c)(4)
Recommendation:
The exception to the rule which allows a whistleblower to disclose protected information in the instance of possible violation of civil or criminal law should be expanded to include violations of generally recognized professional or clinical standards or is evidence of care, services or conditions that potentially endanger one or more patients or workers or the public to appropriate law enforcement officials, oversight agencies, or accreditation organizations.
Rationale:
ANA applauds HHS for acknowledging the crucial role played by employees of health care providers and plans in reporting violations of the law. However, Section 164.518(c)(4), which addresses whistleblowers, provides that a whistleblower may disclose otherwise protected information only in the instance of possible violation of civil or criminal law. It is important that this regulation explicit acknowledge that there are also serious - even life and death - concerns about quality of health care that health care workers, especially professionals, are ethically bound to report to appropriate authorities or other entities such as accrediting surveyors and which may not violate the law. This rule would compound an already intimidating problem in that these health care practitioners are not protected at the Federal level from retaliation from their employers when they raise these concerns. The chilling effect of the lack of protection compromises nursing practice and the health and safety of the patients. This proposed rule is going in the wrong direction: prohibiting disclosure of such information - which could require specific references in explicating the danger - without patient consent would be an enormous burden for the practitioners and dangerous for their patients.
HHS has requested comments as to whether the whistleblower provision should include any additional limitations. We strongly urge that none be added. It is already a very daunting step for members of the health care workforce to engage whistleblower activities. Employees have very legitimate fears that not only will their employers retaliate against them but also that they will not be able to find other employment if they engage in whistleblowing activities. The proposed subsection already limits the confines of protected whistleblowing activities to those that involve particular types of violations and to those that are made to a limited group of entities. Additional limitations on when disclosures during whistleblowing activities are protected will only further discourage employees from engaging in such activity.
SANCTIONS
Section 164.518(e)
We endorse the provision obligating covered entities to develop and apply internal sanctions for their own failures to comply with the privacy regulations. Based upon the experience of occupational health nurses who have been fired for standing up to pressure from management personnel outside the occupational health department (Gass v. Lord Corp., 1998 U.S. App. LEXIS 6512 (6th Cir. 1998); Easterson v. Long Island Jewish Med. Ctr., 549 N.Y.S.2d 135 (1989)),we note that the sanction provision must reach beyond the workforce of a component unit covered entity if it is to support implementation and operation of effective fire walls.
RELATIONSHIP TO STATE LAWS
Section 160.201 Applicability.
Section 160.202 Definitions.
Section 160.203 General rule and exceptions.
Summary
We strongly support the approach in HIPAA and the proposed regulations that the federal privacy regulations will act as a floor, but not a ceiling, on privacy protections afforded by the States. Under this approach, weaker State health privacy laws are preempted (or overridden) while State laws that offer more protection than the federal regulations will remain. Furthermore, this approach allows a State, in the future, to enact stronger privacy protections to meet the changing needs of its citizens.
We believe that the regulations should provide definitions of the terminology used in the preemption provisions for general purposes, not just for use in the Secretary's advisory opinions. We also believe that the regulation should treat state laws pertaining to disclosures about minors the same as other state laws generally, preempting state laws that are contrary to the proposed rule and less protective of the privacy of minors. Lastly, we are very concerned about the breadth of the provision under which a State may request a waiver that would allow a weaker State health privacy law to stand, essentially making the analogous federal regulation inapplicable in that State.
Definitions
Recommendation:
The regulations should make the definitions of section 160.202 generally applicable to section 264 of Pub. L. 104-91.
Rationale:
Section 1178 of HIPAA, Public Law 104-191 (Aug. 21, 1996), sets out general rules governing when State law provisions are preempted by the requirements of the Administrative Simplification provisions of HIPAA. Section 264 of HIPAA more specifically addresses when regulations promulgated by the Secretary due to Congress's failure to pass legislation governing privacy standards will preempt State law. In the preamble, the Secretary recognizes that there are a number of ambiguities in both section 1178 and 264, and states that "clarifying the regulations will generally provide substantially more guidance to the regulated entities and the public as to which requirements, standards, and implementation specifications apply." The Secretary then lists five definitional questions that arise in considering whether or not a State law is preempted under section 264. In light of this discussion, it appears that the definitions of these terms were intended to apply generally to both section 1178 and section 264.
Section 160.201, however, states only that the provisions which contain the definitions apply to "determinations and advisory opinions issued by the Secretary pursuant to 42 U.S.C. 1320d-7." This statement appears to limit the applicability of the definitions to the Secretary's determinations and advisory opinions, as opposed to providing general guidance on when a State law is preempted.
We suggest that a new provision addressing preemption be added to Subpart E of the regulations. The new regulation should specify that, for purposes of determining whether a State law is preempted by the Secretary's regulations under section 264 of Public Law 104-191, the definitions contained in 45 C.F.R. sec. 160.202 apply.
Section 160.202 (definition of "more stringent") and Section 164.150(n) (uses and disclosures otherwise required by law)
Because we agree with most of the Department's approach to minors in section 164.504, we disagree with the approach taken in section 160.202 of this proposed rule with respect to non-preemption of state laws pertaining to minors. The proposed rule erroneously treats contrary state laws pertaining to minors differently from contrary state laws in other areas, a position that is both illogical and inconsistent with HIPAA. In addition, we disagree with the approach taken in section 164.510(n), which undermines completely HIPAA's and the Department's general approach to preemption of contrary state laws.
Generally, this proposed rule (section 160.203) preempts contrary state laws that are less protective of individual privacy. Despite this general rule, the proposed rule states in section 160.202 (the definition of "more stringent") that laws pertaining to minors will be treated differently. The proposed rule states:
(2) With respect to the rights of individuals of access to or amendment of individually identifiable health information, permits greater rights or [sic] access or amendment, as applicable, provided, however, that nothing in this subchapter shall be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information regarding a minor to a parent, guardian or person acting in loco parentis of such minor. (page 60051, emphasis added)
This means that all State laws pertaining to disclosures to a parent would stand -- even those contrary to the policy in the proposed rule -- whether those laws are more or less protective of the minor's privacy than the proposed rule.
A state law authorizing or, worse, mandating disclosure of protected health information about a minor to a parent in a case where that minor has lawfully obtained health care services without the consent of a parent is contrary to the policy stated in this proposed rule and less protective of a minor's privacy. Such a state law should be preempted, but under this proposed rule, it is not.
The position we are advocating would not result in the preemption of state laws that establish the circumstances under which minors can access health care services on their own. Thus, for example, state laws that require parental consent or notification before a health care provider may render a health care service to a minor would not be preempted. State laws establishing the circumstances under which minors can lawfully obtain care (whether those laws allow minors to obtain the care without parental involvement or require parental involvement) are not "contrary" to the proposed rule. Indeed, their continued applicability is assured by the proposed rule itself because the proposed rule's definition of "individual" depends upon other sources of law (beyond the proposed rule) to determine "when a minor lawfully obtains a health care service" without parental involvement (emphasis added).
Thus, state law (and, in some cases, federal law) will continue to determine whether a minor can lawfully obtain a health care service on his or her own. But when the minor lawfully can obtain a health care service without parental consent, and has done so, state law should not subsequently permit or require disclosure to a parent of information relating to such care. Such a state law would be preempted under the position we advocate here because it would be contrary to the proposed rule and less protective of the minor's privacy.
It is unclear why the Department decided not to preempt contrary state law pertaining to minors. No rationale is stated in the proposed rule. In addition to being illogical, such an approach is inconsistent with HIPAA, which spells out limited situations in which contrary state laws are not preempted.(4)
Accordingly, we urge the Department to change this aspect of the proposed
rule and to treat state laws pertaining to minors the same as other state laws generally: state laws that are contrary to the proposed rule and less protective of the privacy of minors should be preempted. As is the case generally with laws that are more protective of privacy, contrary state laws that are more protective of the privacy of minors should not be preempted.
To accomplish our objective of preempting contrary state laws that are less protective of the privacy of minors, the Department must also delete section 164.510(n). This section states that all uses and disclosures required by other laws are permissible uses and disclosures. This section would apply to a variety of state laws (not just those dealing with minors) that are contrary to the proposed rule and less protective of privacy. (Indeed, a law requiring disclosure is the least protective of privacy since it allows for no discretion.) This section is patently inconsistent with section 160.2