Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 5565-5702 [2013-01073]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of the Secretary

[Federal Register Volume 78, Number 17 (Friday, January 25, 2013)]
[Rules and Regulations]
[Pages 5565-5702]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-01073]



[[Page 5565]]

Vol. 78

Friday,

No. 17

January 25, 2013

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





Office of the Secretary





-----------------------------------------------------------------------





45 CFR Parts 160 and 164





Modifications to the HIPAA Privacy, Security, Enforcement, and Breach 
Notification Rules Under the Health Information Technology for Economic 
and Clinical Health Act and the Genetic Information Nondiscrimination 
Act; Other Modifications to the HIPAA Rules; Final Rule

Federal Register / Vol. 78 , No. 17 / Friday, January 25, 2013 / 
Rules and Regulations

[[Page 5566]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0945-AA03


Modifications to the HIPAA Privacy, Security, Enforcement, and 
Breach Notification Rules Under the Health Information Technology for 
Economic and Clinical Health Act and the Genetic Information 
Nondiscrimination Act; Other Modifications to the HIPAA Rules

AGENCY: Office for Civil Rights, Department of Health and Human 
Services.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or ``the 
Department'') is issuing this final rule to: Modify the Health 
Insurance Portability and Accountability Act (HIPAA) Privacy, Security, 
and Enforcement Rules to implement statutory amendments under the 
Health Information Technology for Economic and Clinical Health Act 
(``the HITECH Act'' or ``the Act'') to strengthen the privacy and 
security protection for individuals' health information; modify the 
rule for Breach Notification for Unsecured Protected Health Information 
(Breach Notification Rule) under the HITECH Act to address public 
comment received on the interim final rule; modify the HIPAA Privacy 
Rule to strengthen the privacy protections for genetic information by 
implementing section 105 of Title I of the Genetic Information 
Nondiscrimination Act of 2008 (GINA); and make certain other 
modifications to the HIPAA Privacy, Security, Breach Notification, and 
Enforcement Rules (the HIPAA Rules) to improve their workability and 
effectiveness and to increase flexibility for and decrease burden on 
the regulated entities.

DATES: Effective date: This final rule is effective on March 26, 2013.
    Compliance date: Covered entities and business associates must 
comply with the applicable requirements of this final rule by September 
23, 2013.

FOR FURTHER INFORMATION CONTACT: Andra Wicks 202-205-2292.

SUPPLEMENTARY INFORMATION: 

I. Executive Summary and Background

A. Executive Summary

i. Purpose of the Regulatory Action
Need for the Regulatory Action
    This final rule is needed to strengthen the privacy and security 
protections established under the Health Insurance Portability and 
Accountability of 1996 Act (HIPAA) for individual's health information 
maintained in electronic health records and other formats. This final 
rule also makes changes to the HIPAA rules that are designed to 
increase flexibility for and decrease burden on the regulated entities, 
as well as to harmonize certain requirements with those under the 
Department's Human Subjects Protections regulations. These changes are 
consistent with, and arise in part from, the Department's obligations 
under Executive Order 13563 to conduct a retrospective review of our 
existing regulations for the purpose of identifying ways to reduce 
costs and increase flexibilities under the HIPAA Rules. We discuss our 
specific burden reduction efforts more fully in the Regulatory Impact 
Analysis.
    This final rule is comprised of four final rules, which have been 
combined to reduce the impact and number of times certain compliance 
activities need to be undertaken by the regulated entities.
Legal Authority for the Regulatory Action
    The final rule implements changes to the HIPAA Rules under a number 
of authorities. First, the final rule modifies the Privacy, Security, 
and Enforcement Rules to strengthen privacy and security protections 
for health information and to improve enforcement as provided for by 
the Health Information Technology for Economic and Clinical Health 
(HITECH) Act, enacted as part of the American Recovery and Reinvestment 
Act of 2009 (ARRA). The rule also includes final modifications to the 
Breach Notification Rule, which will replace an interim final rule 
originally published in 2009 as required by the HITECH Act. Second, the 
final rule revises the HIPAA Privacy Rule to increase privacy 
protections for genetic information as required by the Genetic 
Information Nondiscrimination Act of 2008 (GINA). Finally, the 
Department uses its general authority under HIPAA to make a number of 
changes to the Rules that are intended to increase workability and 
flexibility, decrease burden, and better harmonize the requirements 
with those under other Departmental regulations.
ii. Summary of Major Provisions
    This omnibus final rule is comprised of the following four final 
rules:
    1. Final modifications to the HIPAA Privacy, Security, and 
Enforcement Rules mandated by the Health Information Technology for 
Economic and Clinical Health (HITECH) Act, and certain other 
modifications to improve the Rules, which were issued as a proposed 
rule on July 14, 2010. These modifications:
     Make business associates of covered entities directly 
liable for compliance with certain of the HIPAA Privacy and Security 
Rules' requirements.
     Strengthen the limitations on the use and disclosure of 
protected health information for marketing and fundraising purposes, 
and prohibit the sale of protected health information without 
individual authorization.
     Expand individuals' rights to receive electronic copies of 
their health information and to restrict disclosures to a health plan 
concerning treatment for which the individual has paid out of pocket in 
full.
     Require modifications to, and redistribution of, a covered 
entity's notice of privacy practices.
     Modify the individual authorization and other requirements 
to facilitate research and disclosure of child immunization proof to 
schools, and to enable access to decedent information by family members 
or others.
     Adopt the additional HITECH Act enhancements to the 
Enforcement Rule not previously adopted in the October 30, 2009, 
interim final rule (referenced immediately below), such as the 
provisions addressing enforcement of noncompliance with the HIPAA Rules 
due to willful neglect.
    2. Final rule adopting changes to the HIPAA Enforcement Rule to 
incorporate the increased and tiered civil money penalty structure 
provided by the HITECH Act, originally published as an interim final 
rule on October 30, 2009.
    3. Final rule on Breach Notification for Unsecured Protected Health 
Information under the HITECH Act, which replaces the breach 
notification rule's ``harm'' threshold with a more objective standard 
and supplants an interim final rule published on August 24, 2009.
    4. Final rule modifying the HIPAA Privacy Rule as required by the 
Genetic Information Nondiscrimination Act (GINA) to prohibit most 
health plans from using or disclosing genetic information for 
underwriting purposes, which was published as a proposed rule on 
October 7, 2009.

[[Page 5567]]

iii. Costs and Benefits
    This final rule is anticipated to have an annual effect on the 
economy of $100 million or more, making it an economically significant 
rule under Executive Order 12866. Accordingly, we have prepared a 
Regulatory Impact Analysis that presents the estimated costs and 
benefits of the proposed rule. The total cost of compliance with the 
rule's provisions is estimated to be between $114 million and $225.4 
million in the first year of implementation and approximately $14.5 
million annually thereafter. Costs associated with the rule include: 
(i) Costs to HIPAA covered entities of revising and distributing new 
notices of privacy practices to inform individuals of their rights and 
how their information is protected; (ii) costs to covered entities 
related to compliance with breach notification requirements; (iii) 
costs to a portion of business associates to bring their subcontracts 
into compliance with business associate agreement requirements; and 
(iv) costs to a portion of business associates to achieve full 
compliance with the Security Rule. We summarize these costs in Table 1 
below and explain the components and distribution of costs in detail in 
the Regulatory Impact Analysis.
    We are not able to quantify the benefits of the rule due to lack of 
data and the impossibility of monetizing the value of individuals' 
privacy and dignity, which we believe will be enhanced by the 
strengthened privacy and security protections, expanded individual 
rights, and improved enforcement enabled by the rule. We also believe 
that some entities affected by the rule will realize cost savings as a 
result of provisions that simplify and streamline certain requirements, 
and increase flexibility, under the HIPAA Rules. However, we are unable 
to quantify such cost savings due to a lack of data. We describe such 
benefits in the Regulatory Impact Analysis.

               Table 1--Estimated Costs of the Final Rule
------------------------------------------------------------------------
                                 Approximate number of
         Cost element              affected entities       Total cost
------------------------------------------------------------------------
Notices of Privacy Practices..  700,000 covered         $55.9 million.
                                 entities.
Breach Notification             19,000 covered          14.5 million.\1\
 Requirements.                   entities.
Business Associate Agreements.  250,000-500,000         21 million-42
                                 business associates     million.
                                 of covered entities.
Security Rule Compliance by     200,000-400,000         22.6 million-113
 Business Associates.            business associates     million.
                                 of covered entities.
                               -----------------------------------------
    Total.....................  ......................  114 million-
                                                         225.4 million.
------------------------------------------------------------------------

B. Statutory and Regulatory Background

i. HIPAA and the Privacy, Security, and Enforcement Rules
    The  HIPAA Privacy, Security, and Enforcement Rules implement 
certain of the Administrative Simplification provisions of title II, 
subtitle F, of the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA) (Pub. L. 104-191), which added a new part C to title XI 
of the Social Security Act (sections 1171-1179 of the Social Security 
Act, 42 U.S.C. 1320d-1320d-8). The HIPAA Administrative Simplification 
provisions provided for the establishment of national standards for the 
electronic transmission of certain health information, such as 
standards for certain health care transactions conducted electronically 
and code sets and unique identifiers for health care providers and 
employers. The HIPAA Administrative Simplification provisions also 
required the establishment of national standards to protect the privacy 
and security of personal health information and established civil money 
penalties for violations of the Administrative Simplification 
provisions. The Administrative Simplification provisions of HIPAA apply 
to three types of entities, which are known as ``covered entities'': 
health care providers who conduct covered health care transactions 
electronically, health plans, and health care clearinghouses.
---------------------------------------------------------------------------

    \1\ The costs associated with breach notification will be 
incurred on an annual basis. All other costs are expected in the 
first year of implementation.
---------------------------------------------------------------------------

    The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of 
Part 164, requires covered entities to have safeguards in place to 
ensure the privacy of protected health information, sets forth the 
circumstances under which covered entities may use or disclose an 
individual's protected health information, and gives individuals rights 
with respect to their protected health information, including rights to 
examine and obtain a copy of their health records and to request 
corrections. Covered entities that engage business associates to work 
on their behalf must have contracts or other arrangements in place with 
their business associates to ensure that the business associates 
safeguard protected health information, and use and disclose the 
information only as permitted or required by the Privacy Rule.
    The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of 
Part 164, applies only to protected health information in electronic 
form and requires covered entities to implement certain administrative, 
physical, and technical safeguards to protect this electronic 
information. Like the Privacy Rule, covered entities must have 
contracts or other arrangements in place with their business associates 
that provide satisfactory assurances that the business associates will 
appropriately safeguard the electronic protected health information 
they create, receive, maintain, or transmit on behalf of the covered 
entities.
    The HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C-E, 
establishes rules governing the compliance responsibilities of covered 
entities with respect to the enforcement process, including the rules 
governing investigations by the Department, rules governing the process 
and grounds for establishing the amount of a civil money penalty where 
a violation of a HIPAA Rule has been found, and rules governing the 
procedures for hearings and appeals where the covered entity challenges 
a violation determination.
    Since the promulgation of the HIPAA Rules, legislation has been 
enacted requiring modifications to the Rules. In particular, the Health 
Information Technology for Economic and Clinical Health (HITECH) Act, 
which was enacted on February 17, 2009, as title XIII of division A and 
title IV of division B of the American Recovery and Reinvestment Act of 
2009 (ARRA), Public Law 111-5, modifies certain provisions of the 
Social Security Act pertaining to the HIPAA Rules, as well as requires 
certain modifications to the Rules themselves, to strengthen HIPAA 
privacy, security, and enforcement. The

[[Page 5568]]

Act also provides new requirements for notification of breaches of 
unsecured protected health information by covered entities and business 
associates. In addition, the Genetic Information Nondiscrimination Act 
of 2008 (GINA) calls for changes to the HIPAA Privacy Rule to 
strengthen privacy protections for genetic information. This final rule 
implements the modifications required by GINA, as well as most of the 
privacy, security, and enforcement provisions of the HITECH Act. This 
final rule also includes certain other modifications to the HIPAA Rules 
to improve their workability and effectiveness.
ii. The Health Information Technology for Economic and Clinical Health 
Act
    The HITECH Act is designed to promote the widespread adoption and 
interoperability of health information technology. Subtitle D of title 
XIII, entitled ``Privacy,'' supports this goal by adopting amendments 
designed to strengthen the privacy and security protections for health 
information established by HIPAA. These provisions include extending 
the applicability of certain of the Privacy and Security Rules' 
requirements to the business associates of covered entities; requiring 
that Health Information Exchange Organizations and similar 
organizations, as well as personal health record vendors that provide 
services to covered entities, shall be treated as business associates; 
requiring HIPAA covered entities and business associates to provide for 
notification of breaches of ``unsecured protected health information''; 
establishing new limitations on the use and disclosure of protected 
health information for marketing and fundraising purposes; prohibiting 
the sale of protected health information; and expanding individuals' 
rights to access their protected health information, and to obtain 
restrictions on certain disclosures of protected health information to 
health plans. In addition, subtitle D adopts provisions designed to 
strengthen and expand HIPAA's enforcement provisions.
    We discuss these statutory provisions in more detail below where we 
describe section-by-section how this final rule implements the 
provisions. We do not address in this rulemaking the accounting for 
disclosures requirement in section 13405 of the Act, which is the 
subject of a separate proposed rule published on May 31, 2011, at 76 FR 
31426, or the penalty distribution methodology requirement in section 
13410(c) of the Act, which will be the subject of a future rulemaking.
    Since enactment of the HITECH Act a number of steps have been taken 
to implement the strengthened privacy, security, and enforcement 
provisions through rulemakings and related actions. On August 24, 2009, 
the Department published interim final regulations to implement the 
breach notification provisions at section 13402 of the HITECH Act (74 
FR 42740), which were effective September 23, 2009. Similarly, the 
Federal Trade Commission (FTC) published final regulations implementing 
the breach notification provisions at section 13407 for personal health 
record vendors and their third party service providers on August 25, 
2009 (74 FR 42962), effective September 24, 2009. For purposes of 
determining to what information the HHS and FTC breach notification 
regulations apply, the Department also issued, first on April 17, 2009 
(published on April 27, 2009, 74 FR 19006), and then later with its 
interim final rule, the guidance required by the HITECH Act under 
13402(h) specifying the technologies and methodologies that render 
protected health information unusable, unreadable, or indecipherable to 
unauthorized individuals. Additionally, to conform the provisions of 
the Enforcement Rule to the HITECH Act's tiered and increased civil 
money penalty structure, which became effective on February 18, 2009, 
the Department published an interim final rule on October 30, 2009 (74 
FR 56123), effective November 30, 2009.
    The Department published a notice of proposed rulemaking (NPRM) on 
July 14, 2010, (75 FR 40868) to implement many of the remaining 
privacy, security, and enforcement provisions of the HITECH Act. The 
public was invited to comment on the proposed rule for 60 days 
following publication. The comment period closed on September 13, 2010. 
The Department received about 300 comments on the NPRM.
    The NPRM proposed to extend the applicability of certain of the 
Privacy and Security Rules' requirements to the business associates of 
covered entities, making business associates directly liable for 
violations of these requirements. Additionally, the NPRM proposed to 
define a subcontractor as a business associate to ensure any protected 
health information the subcontractor creates or receives on behalf of 
the business associate is appropriately safeguarded. The NPRM proposed 
to establish new limitations on the use and disclosure of protected 
health information for marketing and fundraising purposes and to 
prohibit the sale of protected health information without an 
authorization. The NPRM also proposed to expand an individual's right 
to obtain an electronic copy of an individual's protected health 
information, and the right to restrict certain disclosures of protected 
health information to a health plan for payment or health care 
operations purposes. In addition, the NPRM proposed to further modify 
the Enforcement Rule to implement more of the HITECH Act's changes to 
HIPAA enforcement.
    In addition to the proposed modifications to implement the HITECH 
Act, the NPRM also proposed certain other modifications to the HIPAA 
Rules. The NPRM proposed to permit the use of compound authorizations 
for conditioned and unconditioned research activities and requested 
comment regarding permitting authorizations for future research. 
Additionally, the NPRM proposed to modify the Privacy Rule's 
application to the individually identifiable health information of 
decedents and to permit covered entities that obtain the agreement of a 
parent to provide proof of immunization without written authorization 
to schools that are required to have such information.
iii. The Genetic Information Nondiscrimination Act
    The Genetic Information Nondiscrimination Act of 2008 (``GINA''), 
Pub. L. 110-233, 122 Stat. 881, prohibits discrimination based on an 
individual's genetic information in both the health coverage (Title I) 
and employment (Title II) contexts. In addition to the 
nondiscrimination provisions, section 105 of Title I of GINA contains 
new privacy protections for genetic information, which require the 
Secretary of HHS to revise the Privacy Rule to clarify that genetic 
information is health information and to prohibit group health plans, 
health insurance issuers (including HMOs), and issuers of Medicare 
supplemental policies from using or disclosing genetic information for 
underwriting purposes.
    On October 7, 2009, the Department published a proposed rule to 
strengthen the privacy protections for genetic information under the 
HIPAA Privacy Rule by implementing the protections for genetic 
information required by GINA and making related changes to the Rule. 
The 60-day public comment period for the proposed rule closed on 
December 7, 2009. The Department received about 25 comments on the 
proposed rule.

II. Overview of the Final Rule

    In this final rule the Department finalizes the modifications to 
the HIPAA Privacy, Security, and Enforcement Rules to implement many of 
the

[[Page 5569]]

privacy, security, and enforcement provisions of the HITECH Act and 
make other changes to the Rules; modifies the Breach Notification Rule; 
finalizes the modifications to the HIPAA Privacy Rule to strengthen 
privacy protections for genetic information; and responds to the public 
comments received on the proposed and interim final rules. Section III 
below describes the effective and compliance dates of the final rule. 
Section IV describes the changes to the HIPAA Privacy, Security, and 
Enforcement Rules under the HITECH Act and other modifications that 
were proposed in July 2010, as well as the modifications to the 
Enforcement Rule under the HITECH Act that were addressed in the 
interim final rule published in October 2009. Section V describes the 
changes to the Breach Notification Rule. Section VI discusses the 
changes to the HIPAA Privacy Rule to strengthen privacy protections for 
genetic information.

III. Effective and Compliance Dates

    With respect to the HITECH Act requirements, section 13423 of the 
Act provides that the provisions in subtitle D took effect one year 
after enactment, i.e., on February 18, 2010, except as specified 
otherwise. However, there are a number of exceptions to this general 
rule. For example, the tiered and increased civil money penalty 
provisions of section 13410(d) were effective for violations occurring 
after the date of enactment, and sections 13402 and 13407 of the Act 
regarding breach notification required interim final rules within 180 
days of enactment, with effective dates 30 days after the publication 
of such rules. Other provisions of the Act have later effective dates. 
For example, the provision at section 13410(a)(1) of the Act providing 
that the Secretary's authority to impose a civil money penalty will 
only be barred to the extent a criminal penalty has been imposed, 
rather than in cases in which the offense in question merely 
constitutes an offense that is criminally punishable, became effective 
for violations occurring on or after February 18, 2011. The discussion 
below generally pertains to the statutory provisions that became 
effective on February 18, 2010, or, in a few cases, on a later date.

Proposed Rule

    We proposed that covered entities and business associates would 
have 180 days beyond the effective date of the final rule to come into 
compliance with most of the rule's provisions. We believed that a 180-
day compliance period would suffice for future modifications to the 
HIPAA Rules, and we proposed to add a provision at Sec.  160.105 to 
address the compliance date generally for implementation of new or 
modified standards in the HIPAA Rules. We proposed that Sec.  160.105 
would provide that with respect to new standards or implementation 
specifications or modifications to standards or implementation 
specifications in the HIPAA Rules, except as otherwise provided, 
covered entities and business associates would be required to comply 
with the applicable new or modified standards or implementation 
specifications no later than 180 days from the effective date of any 
such change. For future modifications to the HIPAA Rules necessitating 
a longer compliance period, we would specify a longer period in the 
regulatory text. Finally, we proposed to retain the compliance date 
provisions at Sec. Sec.  164.534 and 164.318, which provide the 
compliance dates of April 14, 2003, and April 20, 2005, for initial 
implementation of the HIPAA Privacy and Security Rules, respectively, 
for historical purposes only.

Overview of Public Comments

    Most of the comments addressing the proposed compliance periods as 
outlined above fell into three categories. First, several commenters 
supported the proposed compliance timelines and agreed that 180 days is 
sufficient time for covered entities, business associates, and 
subcontractors of all sizes to come into compliance with the final 
rule. Second, a few commenters supported the proposed 180-day 
compliance period, but expressed concern that the Department may wish 
to extend the 180-day compliance period in the future, if it issues 
modifications or new provisions that require a longer compliance 
period. Third, several commenters requested that the Department extend 
the 180-day compliance period both with regard to the modifications 
contained in this final rule and with regard to the more general 
proposed compliance deadline, as they believe 180 days is an 
insufficient amount of time for covered entities, business associates, 
and subcontractors to come into compliance with the modified rules, 
particularly with regard to changes in technology.

Final Rule

    The final rule is effective on March 26, 2013. Covered entities and 
business associates of all sizes will have 180 days beyond the 
effective date of the final rule to come into compliance with most of 
the final rule's provisions, including the modifications to the Breach 
Notification Rule and the changes to the HIPAA Privacy Rule under GINA. 
We understand that some covered entities, business associates, and 
subcontractors remain concerned that a 180-day period does not provide 
sufficient time to come into compliance with the modifications. 
However, we believe not only that providing a 180-day compliance period 
best comports with section 1175(b)(2) of the Social Security Act, 42 
U.S.C. 1320d-4, and our implementing provision at Sec.  160.104(c)(1), 
which require the Secretary to provide at least a 180-day period for 
covered entities to comply with modifications to standards and 
implementation specifications in the HIPAA Rules, but also that 
providing a 180-day compliance period best protects the privacy and 
security of patient information, in accordance with the goals of the 
HITECH Act.
    In addition, to make clear to the industry our expectation that 
going forward we will provide a 180-day compliance date for future 
modifications to the HIPAA Rules, we adopt the provision we proposed at 
Sec.  160.105, which provides that with respect to new or modified 
standards or implementation specifications in the HIPAA Rules, except 
as otherwise provided, covered entities and business associates must 
comply with the applicable new or modified standards or implementation 
specifications no later than 180 days from the effective date of any 
such change. In cases where a future modification necessitates a longer 
compliance period, the Department will expressly provide for one, as it 
has done in this rulemaking with respect to the time permitted for 
business associate agreements to be modified.
    For the reasons proposed, the final rule also retains the 
compliance date provisions at Sec. Sec.  164.534 and 164.318, which 
provide the compliance dates of April 14, 2003, and April 20, 2005, for 
initial implementation of the HIPAA Privacy and Security Rules, 
respectively. We note that Sec.  160.105 regarding the compliance date 
of new or modified standards or implementation specifications does not 
apply to modifications to the provisions of the HIPAA Enforcement Rule, 
because such provisions are not standards or implementation 
specifications (as the terms are defined at Sec.  160.103). Such 
provisions are in effect and apply at the time the final rule becomes 
effective or as otherwise specifically provided. In addition, as 
explained above, our general rule for a 180-day compliance period for 
new or modified standards would not apply where we expressly provide a 
different compliance period in

[[Page 5570]]

the regulation for one or more provisions. For purposes of this rule, 
the 180-day compliance period would not govern the time period required 
to modify those business associate agreements that qualify for the 
longer transition period in Sec.  164.532, as we discuss further below.
    Finally, the provisions of section 13402(j) of the HITECH Act apply 
to breaches of unsecured protected health information discovered on or 
after September 23, 2009, the date of the publication of the interim 
final rule. Thus, during the 180 day period before compliance with this 
final rule is required, covered entities and business associates are 
still required to comply with the breach notification requirements 
under the HITECH Act and must continue to comply with the requirements 
of the interim final rule. We believe that this transition period 
provides covered entities and business associates with adequate time to 
come into compliance with the revisions in this final rule and at the 
same time to continue to fulfill their breach notification obligations 
under the HITECH Act.

IV. Modifications to the HIPAA Privacy, Security, and Enforcement Rules 
Under the HITECH Act; Other Modifications to the HIPAA Rules

    The discussion below provides a section-by-section description of 
the final rule, as well as responds to public comments where 
substantive comments were received regarding particular provisions.

A. Subparts A and B of Part 160: Statutory Basis and Purpose, 
Applicability, Definitions, and Preemption of State Law

    Subpart A of Part 160 of the HIPAA Rules contains general 
provisions that apply to all of the HIPAA Rules. Subpart B of Part 160 
contains the regulatory provisions implementing HIPAA's preemption 
provisions. We proposed to amend a number of these provisions. Some of 
the proposed, and now final, changes are necessitated by the statutory 
changes made by the HITECH Act and GINA, while others are of a 
technical or conforming nature.
1. Subpart A--General Provisions, Section 160.101--Statutory Basis and 
Purpose
    This section sets out the statutory basis and purpose of the HIPAA 
Rules. We proposed and include in this final rule a technical change to 
include references to the provisions of GINA and the HITECH Act upon 
which most of the regulatory changes below are based.
2. Subpart A--General Provisions, Section 160.102--Applicability
    This section sets out to whom the HIPAA Rules apply. We proposed to 
add and include in this final rule a new paragraph (b) to make clear, 
consistent with the HITECH Act, that certain of the standards, 
requirements, and implementation specifications of the subchapter apply 
to business associates.
3. Subpart A--General Provisions, Section 160.103--Definitions
    Section 160.103 contains definitions of terms that appear 
throughout the HIPAA Rules. The final rule modifies a number of these 
definitions to implement the HITECH Act and make other needed changes.
a. Definition of ``Business Associate''
    The HIPAA Privacy and Security Rules permit a covered entity to 
disclose protected health information to a business associate, and 
allow a business associate to create, receive, maintain, or transmit 
protected health information on its behalf, provided the covered entity 
obtains satisfactory assurances in the form of a contract or other 
arrangement that the business associate will appropriately safeguard 
the information. The HIPAA Rules define ``business associate'' 
generally to mean a person who performs functions or activities on 
behalf of, or certain services for, a covered entity that involve the 
use or disclosure of protected health information. We proposed a number 
of modifications to the definition of ``business associate'' to 
implement the HITECH Act, to conform the term to the statutory 
provisions of the Patient Safety and Quality Improvement Act of 2005 
(PSQIA), 42 U.S.C. 299b-21, et seq., and to make other changes to the 
definition.
i. Inclusion of Patient Safety Organizations
Proposed Rule
    We proposed to add patient safety activities to the list of 
functions and activities a person may undertake on behalf of a covered 
entity that give rise to a business associate relationship. PSQIA, at 
42 U.S.C. 299b-22(i)(1), provides that Patient Safety Organizations 
(PSOs) must be treated as business associates when applying the Privacy 
Rule. PSQIA provides for the establishment of PSOs to receive reports 
of patient safety events or concerns from providers and provide 
analyses of events to reporting providers. A reporting provider may be 
a HIPAA covered entity and, thus, information reported to a PSO may 
include protected health information that the PSO may analyze on behalf 
of the covered provider. The analysis of such information is a patient 
safety activity for purposes of PSQIA and the Patient Safety Rule, 42 
CFR 3.10, et seq. While the HIPAA Rules as written would treat a PSO as 
a business associate when the PSO was performing quality analyses and 
other activities on behalf of a covered health care provider, we 
proposed this change to the definition of ``business associate'' to 
more clearly align the HIPAA and Patient Safety Rules.
Overview of Public Comment
    Commenters on this topic supported the express inclusion of patient 
safety activities within the definition of ``business associate.''
Final Rule
    The final rule adopts the proposed modification.
ii. Inclusion of Health Information Organizations (HIO), E-Prescribing 
Gateways, and Other Persons That Facilitate Data Transmission; as Well 
as Vendors of Personal Health Records
Proposed Rule
    Section 13408 of the HITECH Act provides that an organization, such 
as a Health Information Exchange Organization, E-prescribing Gateway, 
or Regional Health Information Organization, that provides data 
transmission of protected health information to a covered entity (or 
its business associate) and that requires access on a routine basis to 
such protected health information must be treated as a business 
associate for purposes of the Act and the HIPAA Privacy and Security 
Rules. Section 13408 also provides that a vendor that contracts with a 
covered entity to allow the covered entity to offer a personal health 
record to patients as part of the covered entity's electronic health 
record shall be treated as a business associate. Section 13408 requires 
that such organizations and vendors enter into a written business 
associate contract or other arrangement with the covered entity in 
accordance with the HIPAA Rules.
    In accordance with the Act, we proposed to modify the definition of 
``business associate'' to explicitly designate these persons as 
business associates. Specifically, we proposed to include in the 
definition: (1) A Health Information Organization, E-prescribing 
Gateway, or other person that provides data transmission services with 
respect

[[Page 5571]]

to protected health information to a covered entity and that requires 
routine access to such protected health information; and (2) a person 
who offers a personal health record to one or more individuals on 
behalf of a covered entity.
    We proposed to refer to ``Health Information Organization'' in the 
NPRM rather than ``Health Information Exchange Organization'' as used 
in the Act because it is our understanding that ``Health Information 
Organization'' is the more widely recognized and accepted term to 
describe an organization that oversees and governs the exchange of 
health-related information among organizations.\2\ The Act also 
specifically refers to Regional Health Information Organizations; 
however, we did not believe the inclusion of the term in the definition 
of ``business associate'' was necessary as a Regional Health 
Information Organization is simply a Health Information Organization 
that governs health information exchange among organizations within a 
defined geographic area.\3\ Further, the specific terms of ``Health 
Information Organization'' and ``E-prescribing Gateway'' were included 
as merely illustrative of the types of organizations that would fall 
within this paragraph of the definition of ``business associate.'' We 
requested comment on the use of these terms within the definition and 
whether additional clarifications or additions were necessary.
---------------------------------------------------------------------------

    \2\ Department of Health and Human Services Office of the 
National Coordinator for Health Information Technology, The National 
Alliance for Health Information Technology Report to the Office of 
the National Coordinator for Health Information Technology: Defining 
Key Health Information Terms, Pg. 24 (2008).
    \3\ Id. at 25.
---------------------------------------------------------------------------

    Section 13408 also provides that the data transmission 
organizations that the Act requires to be treated as business 
associates are those that require access to protected health 
information on a routine basis. Conversely, data transmission 
organizations that do not require access to protected health 
information on a routine basis would not be treated as business 
associates. This is consistent with our prior interpretation of the 
definition of ``business associate,'' through which we have stated that 
entities that act as mere conduits for the transport of protected 
health information but do not access the information other than on a 
random or infrequent basis are not business associates. See https://www.hhs.gov/ocr/privacy/hipaa/faq/providers/business/245.html. In 
contrast, entities that manage the exchange of protected health 
information through a network, including providing record locator 
services and performing various oversight and governance functions for 
electronic health information exchange, have more than ``random'' 
access to protected health information and thus, would fall within the 
definition of ``business associate.''
Overview of Public Comments
    Commenters generally supported the inclusion of Health Information 
Organizations, personal health record vendors, and similar entities in 
the definition of ``business associate.'' However, commenters sought 
various clarifications as discussed below.
    Commenters generally supported use of the term Health Information 
Organization in lieu of more restrictive terms, such as Regional Health 
Information Organization. Some commenters suggested that the term 
Health Information Organization be defined, so as to avoid confusion as 
the industry develops, and suggested various alternatives for doing so. 
Several commenters recommended that the Office for Civil Rights (OCR) 
maintain a Web site link that lists current terms for entities that OCR 
considers to be Health Information Organizations.
    Other commenters requested clarification on what it means to have 
``access on a routine basis'' to protected health information for 
purposes of the definition and determining whether certain entities are 
excluded as mere conduits. For example, commenters asked whether the 
definition of business associate would include broadband suppliers or 
internet service providers, vendors that only have the potential to 
come into contact with protected health information, or entities 
contracted on a contingency basis that may at some point in the future 
have access to protected health information. Several document storage 
companies argued that entities like theirs should be characterized as 
conduits, as they do not view the protected health information they 
store.
    Several commenters sought clarification regarding when personal 
health record vendors would be considered business associates. For 
example, commenters asked whether personal health record vendors would 
be business associates when the vendor provided the personal health 
record in collaboration with the covered entity, when the personal 
health record is linked to a covered entity's electronic health record, 
or when the personal health record is offered independently to the 
individual, among other scenarios. One commenter suggested that a 
vendor offering a personal health record to a patient on behalf of a 
covered entity only acts as a conduit because there is no access by the 
vendor to protected health information; another commenter suggested 
that personal health record vendors be business associates only when 
they have routine access to protected health information.
Final Rule
    The final rule adopts the language that expressly designates as 
business associates: (1) A Health Information Organization, E-
prescribing Gateway, or other person that provides data transmission 
services with respect to protected health information to a covered 
entity and that requires routine access to such protected health 
information; and (2) a person who offers a personal health record to 
one or more individuals on behalf of a covered entity.
    We decline to provide a definition for Health Information 
Organization. We recognize that the industry continues to develop and 
thus the type of entities that may be considered Health Information 
Organizations continues to evolve. For this reason, we do not think it 
prudent to include in the regulation a specific definition at this 
time. We anticipate continuing to issue guidance in the future on our 
web site on the types of entities that do and do not fall within the 
definition of business associate, which can be updated as the industry 
evolves.
    Regarding what it means to have ``access on a routine basis'' to 
protected health information with respect to determining which types of 
data transmission services are business associates versus mere 
conduits, such a determination will be fact specific based on the 
nature of the services provided and the extent to which the entity 
needs access to protected health information to perform the service for 
the covered entity. The conduit exception is a narrow one and is 
intended to exclude only those entities providing mere courier 
services, such as the U.S. Postal Service or United Parcel Service and 
their electronic equivalents, such as internet service providers (ISPs) 
providing mere data transmission services. As we have stated in prior 
guidance, a conduit transports information but does not access it other 
than on a random or infrequent basis as necessary to perform the 
transportation service or as required by other law. For example, a 
telecommunications company may have occasional, random access to 
protected health information when it reviews whether the data 
transmitted over its network is arriving

[[Page 5572]]

at its intended destination. Such occasional, random access to 
protected health information would not qualify the company as a 
business associate. In contrast, an entity that requires access to 
protected health information in order to perform a service for a 
covered entity, such as a Health Information Organization that manages 
the exchange of protected health information through a network on 
behalf of covered entities through the use of record locator services 
for its participants (and other services), is not considered a conduit 
and, thus, is not excluded from the definition of business associate. 
We intend to issue further guidance in this area as electronic health 
information exchange continues to evolve.
    We note that the conduit exception is limited to transmission 
services (whether digital or hard copy), including any temporary 
storage of transmitted data incident to such transmission. In contrast, 
an entity that maintains protected health information on behalf of a 
covered entity is a business associate and not a conduit, even if the 
entity does not actually view the protected health information. We 
recognize that in both situations, the entity providing the service to 
the covered entity has the opportunity to access the protected health 
information. However, the difference between the two situations is the 
transient versus persistent nature of that opportunity. For example, a 
data storage company that has access to protected health information 
(whether digital or hard copy) qualifies as a business associate, even 
if the entity does not view the information or only does so on a random 
or infrequent basis. Thus, document storage companies maintaining 
protected health information on behalf of covered entities are 
considered business associates, regardless of whether they actually 
view the information they hold. To help clarify this point, we have 
modified the definition of ``business associate'' to generally provide 
that a business associate includes a person who ``creates, receives, 
maintains, or transmits'' (emphasis added) protected health information 
on behalf of a covered entity.
    Several commenters sought clarification on when a personal health 
record vendor would be providing a personal health record ``on behalf 
of'' a covered entity and thus, would be a business associate for 
purposes of the HIPAA Rules. As with data transmission services, 
determining whether a personal health record vendor is a business 
associate is a fact specific determination. A personal health record 
vendor is not a business associate of a covered entity solely by virtue 
of entering into an interoperability relationship with a covered 
entity. For example, when a personal health record vendor and a covered 
entity establish the electronic means for a covered entity's electronic 
health record to send protected health information to the personal 
health record vendor pursuant to the individual's written 
authorization, it does not mean that the personal health record vendor 
is offering the personal health record on behalf of the covered entity, 
even if there is an agreement between the personal health record vendor 
and the covered entity governing the exchange of data (such as an 
agreement specifying the technical specifications for exchanging of 
data or specifying that such data shall be kept confidential). In 
contrast, when a covered entity hires a vendor to provide and manage a 
personal health record service the covered entity wishes to offer its 
patients or enrollees, and provides the vendor with access to protected 
health information in order to do so, the personal health record vendor 
is a business associate.
    A personal health record vendor may offer personal health records 
directly to individuals and may also offer personal health records on 
behalf of covered entities. In such cases, the personal health record 
vendor is only subject to HIPAA as a business associate with respect to 
personal health records that are offered to individuals on behalf of 
covered entities.
    We also clarify that, contrary to one commenter's suggestion, a 
personal health record vendor that offers a personal health record to a 
patient on behalf of a covered entity does not act merely as a conduit. 
Rather, the personal health record vendor is maintaining protected 
health information on behalf of the covered entity (for the benefit of 
the individual). Further, a personal health record vendor that operates 
a personal health record on behalf of a covered entity is a business 
associate if it has access to protected health information, regardless 
of whether the personal health record vendor actually exercises this 
access. We believe the revisions to the definition of ``business 
associate'' discussed above clarify these points. As with other aspects 
of the definition of ``business associate,'' we intend to provide 
future guidance on when a personal health record vendor is a business 
associate for purposes of the HIPAA Rules.
Response to Other Public Comments
    Comment: One commenter recommended that the term ``person'' used in 
describing who provides transmission services to a covered entity be 
clarified to apply also to entities and organizations.
    Response: The term ``person'' as defined at Sec.  160.103 includes 
entities as well as natural persons.
    Comment: One commenter asked whether subcontractors that support 
business associates with personal health record related functions are 
subject to the breach notification requirements under the HIPAA Breach 
Notification Rule or that of the FTC.
    Response: As discussed below, a subcontractor that creates, 
receives, maintains, or transmits protected health information on 
behalf of a business associate, including with respect to personal 
health record functions, is a HIPAA business associate and thus, is 
subject to the HIPAA Breach Notification Rule and not that of the FTC. 
The analysis of whether a subcontractor is acting on behalf of a 
business associate is the same analysis as discussed above with respect 
to whether a business associate is acting on behalf of a covered 
entity.
iii. Inclusion of Subcontractors
Proposed Rule
    We proposed in the definition of ``business associate'' to provide 
that subcontractors of a covered entity, i.e., those persons that 
perform functions for or provide services to a business associate other 
than in the capacity as a member of the business associate's workforce, 
are also business associates to the extent that they require access to 
protected health information. We also proposed to define 
``subcontractor'' in Sec.  160.103 as a person who acts on behalf of a 
business associate, other than in the capacity of a member of the 
workforce of such business associate. Even though we used the term 
``subcontractor,'' which implies there is a contract in place between 
the parties, the definition would apply to an agent or other person who 
acts on behalf of the business associate, even if the business 
associate has failed to enter into a business associate contract with 
the person. We requested comment on the use of the term 
``subcontractor'' and its proposed definition.
    The intent of the proposed extension of the Rules to subcontractors 
was to avoid having privacy and security protections for protected 
health information lapse merely because a function is performed by an 
entity that is a subcontractor rather than an entity

[[Page 5573]]

with a direct relationship with a covered entity. Allowing such a lapse 
in privacy and security protections could allow business associates to 
avoid liability imposed upon them by sections 13401 and 13404 of the 
Act. Further, applying HIPAA privacy and security requirements directly 
to subcontractors also ensures that the privacy and security 
protections of the HIPAA Rules extend beyond covered entities to those 
entities that create or receive protected health information in order 
for the covered entity to perform its health care functions. Therefore, 
we proposed that downstream entities that work at the direction of or 
on behalf of a business associate and handle protected health 
information would also be required to comply with the applicable 
Privacy and Security Rule provisions in the same manner as the primary 
business associate, and likewise would incur liability for acts of 
noncompliance. This proposed modification would not require the covered 
entity to have a contract with the subcontractor; rather, the 
obligation would remain on each business associate to obtain 
satisfactory assurances in the form of a written contract or other 
arrangement that a subcontractor will appropriately safeguard protected 
health information. For example, if a business associate, such as a 
third party administrator, hires a company to handle document and media 
shredding to securely dispose of paper and electronic protected health 
information, then the shredding company would be directly required to 
comply with the applicable requirements of the HIPAA Security Rule 
(e.g., with respect to proper disposal of electronic media) and the 
Privacy Rule (e.g., with respect to limiting its uses and disclosures 
of the protected health information in accordance with its contract 
with the business associate).
Overview of Public Comments
    While some commenters generally supported extending the business 
associate provisions of the Rules to subcontractors, many opposed such 
an extension arguing, among other things, that doing so was not the 
intent of Congress and beyond the statutory authority of the 
Department, that confusion may ensue with covered entities seeking to 
establish direct business associate contracts with subcontractors or 
prohibiting business associates from establishing subcontractor 
relationships altogether, and/or that creating direct liability for 
subcontractors will discourage such entities from operating and 
participating in the health care industry. Some commenters asked how 
far down the ``chain'' of subcontractors do the HIPAA Rules apply--
i.e., do the Rules apply only to the first tier subcontractor or to all 
subcontractors down the chain.
    In response to our request for comment on this issue, several 
commenters were concerned that use of the term subcontractor was 
confusing and instead suggested a different term be used, such as 
business associate contractor or downstream business associate, to 
avoid confusion between primary business associates of a covered entity 
and subcontractors. Other commenters suggested changes to the 
definition of subcontractor itself to better clarify the scope of the 
definition.
    Several commenters requested specific guidance on who is and is not 
a subcontractor under the definitions of ``business associate'' and 
``subcontractor.'' For example, one commenter asked whether an entity 
that shreds documents for a business associate for the business 
associate's activities and not for the covered entity, would qualify as 
a subcontractor. Another commenter asked whether disclosures by a 
business associate of protected health information for its own 
management and administration or legal needs creates a subcontractor 
relationship. Other commenters recommended that subcontractors without 
routine access to protected health information, or who do not access 
protected health information at all for their duties, not be considered 
business associates.
Final Rule
    The final rule adopts the proposal to apply the business associate 
provisions of the HIPAA Rules to subcontractors and thus, provides in 
the definition of ``business associate'' that a business associate 
includes a ``subcontractor that creates, receives, maintains, or 
transmits protected health information on behalf of the business 
associate.'' In response to comments, we clarify the definition of 
``subcontractor'' in Sec.  160.103 to provide that subcontractor means: 
``a person to whom a business associate delegates a function, activity, 
or service, other than in the capacity of a member of the workforce of 
such business associate.'' Thus, a subcontractor is a person to whom a 
business associate has delegated a function, activity, or service the 
business associate has agreed to perform for a covered entity or 
business associate. A subcontractor is then a business associate where 
that function, activity, or service involves the creation, receipt, 
maintenance, or transmission of protected health information. We also 
decline to replace the term ``subcontractor'' with another, as we were 
not persuaded by any of the alternatives suggested by commenters (e.g., 
``business associate contractor,'' ``downstream business associate,'' 
or ``downstream entity'').
    We disagree with the commenters that suggested that applying the 
business associate provisions of the HIPAA Rules to subcontractors is 
beyond the Department's statutory authority. In the HITECH Act, 
Congress created direct liability under the HIPAA Privacy and Security 
Rules for persons that are not covered entities but that create or 
receive protected health information in order for a covered entity to 
perform its health care functions, to ensure individuals' personal 
health information remains sufficiently protected in the hands of these 
entities. As stated in the NPRM, applying the business associate 
provisions only to those entities that have a direct relationship with 
a covered entity does not achieve that intended purpose. Rather, it 
allows privacy and security protections for protected health 
information to lapse once a subcontractor is enlisted to assist in 
performing a function, activity, or service for the covered entity, 
while at the same time potentially allowing certain primary business 
associates to avoid liability altogether for the protection of the 
information the covered entity has entrusted to the business associate. 
Further, section 13422 of the HITECH Act provides that each reference 
in the Privacy subtitle of the Act to a provision of the HIPAA Rules 
refers to such provision as in effect on the date of enactment of the 
Act or to the most recent update of such provision (emphasis added). 
Thus, the Act does not bar the Department from modifying definitions of 
terms in the HIPAA Rules to which the Act refers. Rather, the statute 
expressly contemplates that modifications to the terms may be necessary 
to carry out the provisions of the Act or for other purposes.
    Further, we do not agree that covered entities will be confused and 
seek to establish direct business associate contracts with 
subcontractors or will prohibit business associates from engaging 
subcontractors to perform functions or services that require access to 
protected health information. The final rule makes clear that a covered 
entity is not required to enter into a contract or other arrangement 
with a business associate that is a subcontractor. See Sec. Sec.  
164.308(b)(1) and 164.502(e)(1)(i). In addition, as commenters did not 
present direct evidence to the contrary, we do not believe that covered 
entities will begin

[[Page 5574]]

prohibiting business associates from engaging subcontractors as a 
result of the final rule, in cases where they were not doing so before. 
Rather, we believe that making subcontractors directly liable for 
violations of the applicable provisions of the HIPAA Rules will help to 
alleviate concern on the part of covered entities that protected health 
information is not adequately protected when provided to 
subcontractors.
    The Department also believes that the privacy and security 
protections for an individual's personal health information and 
associated liability for noncompliance with the Rules should not lapse 
beyond any particular business associate that is a subcontractor. Thus, 
under the final rule, covered entities must ensure that they obtain 
satisfactory assurances required by the Rules from their business 
associates, and business associates must do the same with regard to 
subcontractors, and so on, no matter how far ``down the chain'' the 
information flows. This ensures that individuals' health information 
remains protected by all parties that create, receive, maintain, or 
transmit the information in order for a covered entity to perform its 
health care functions. For example, a covered entity may contract with 
a business associate (contractor), the contractor may delegate to a 
subcontractor (subcontractor 1) one or more functions, services, or 
activities the business associate has agreed to perform for the covered 
entity that require access to protected health information, and the 
subcontractor may in turn delegate to another subcontractor 
(subcontractor 2) one or more functions, services, or activities it has 
agreed to perform for the contractor that require access to protected 
health information, and so on. Both the contractor and all of the 
subcontractors are business associates under the final rule to the 
extent they create, receive, maintain, or transmit protected health 
information.
    With respect to requests for specific guidance on who is and is not 
a subcontractor, we believe the above changes to the definition provide 
further clarity. We also provide the following in response to specific 
comments. Disclosures by a business associate pursuant to Sec.  
164.504(e)(4) and its business associate contract for its own 
management and administration or legal responsibilities do not create a 
business associate relationship with the recipient of the protected 
health information because such disclosures are made outside of the 
entity's role as a business associate. However, for such disclosures 
that are not required by law, the Rule requires that the business 
associate obtain reasonable assurances from the person to whom the 
information is disclosed that it will be held confidentially and used 
or further disclosed only as required by law or for the purposes for 
which it was disclosed to the person and the person notifies the 
business associate of any instances of which it is aware that the 
confidentiality of the information has been breached. See Sec.  
164.504(e)(4)(ii)(B).
    In contrast, disclosures of protected health information by the 
business associate to a person who will assist the business associate 
in performing a function, activity, or service for a covered entity or 
another business associate may create a business associate relationship 
depending on the circumstances. For example, an entity hired by a 
business associate to appropriately dispose of documents that contain 
protected health information is also a business associate and subject 
to the applicable provisions of the HIPAA Rules. If the documents to be 
shredded do not contain protected health information, then the entity 
is not a business associate. We also clarify that the same 
interpretations that apply to determining whether a first tier 
contractor is a business associate also apply to determining whether a 
subcontractor is a business associate. Thus, our interpretation of who 
is and is not excluded from the definition of business associate as a 
conduit also applies in the context of subcontractors as well. We refer 
readers to the above discussion regarding transmission services and 
conduits.
iv. Exceptions to Business Associate
Proposed Rule
    Sections 164.308(b)(2) and 164.502(e)(1)(ii) of the HIPAA Rules 
currently describe certain circumstances, such as when a covered entity 
discloses protected health information to a health care provider 
concerning the treatment of an individual, in which a covered entity is 
not required to enter into a business associate contract or other 
arrangement with the recipient of the protected health information. We 
proposed to move these provisions to the definition of ``business 
associate'' itself as exceptions to make clear that the Department does 
not consider the recipients of the protected health information in 
these circumstances to be business associates. The movement of these 
exceptions also was intended to help clarify that a person or an entity 
is a business associate if the person or entity meets the definition of 
``business associate,'' even if a covered entity, or business associate 
with respect to a subcontractor, fails to enter into the required 
business associate contract with the person or entity.
Final Rule
    The Department did not receive substantive public comment on this 
proposal. The final rule includes the exceptions within the definition 
of ``business associate.''
v. Technical Changes to the Definition
Proposed Rule
    For clarity and consistency, we also proposed to change the term 
``individually identifiable health information'' in the current 
definition of ``business associate'' to ``protected health 
information,'' since a business associate has no obligation under the 
HIPAA Rules with respect to individually identifiable health 
information that is not protected health information.
Final Rule
    The Department did not receive substantive public comment on this 
proposal. The final rule adopts the proposed modification to the 
definition. Additionally, as indicated above, we have revised the 
definition of business associate to clarify that a business associate 
includes an entity that ``creates, receives, maintains, or transmits'' 
protected health information on behalf of a covered entity. This change 
is intended to make the definition more consistent with language at 
Sec.  164.308(b) of the Security Rule and Sec.  164.502(e) of the 
Privacy Rule, as well as to clarify that entities that maintain or 
store protected health information on behalf of a covered entity are 
business associates, even if they do not actually view the protected 
health information.
vi. Response to Other Public Comments
    Comment: One commenter suggested that some covered entities do not 
treat third party persons that handle protected health information 
onsite as a business associate.
    Response: A covered entity may treat a contractor who has his or 
her duty station onsite at a covered entity and who has more than 
incidental access to protected health information as either a member of 
the covered entity's workforce or as a business associate for purposes 
of the HIPAA Rules.
    Comment: A few commenters asked for confirmation that researchers 
are not considered business associates. In addition, the Secretary's 
Advisory

[[Page 5575]]

Committee on Human Research Protections, in its November 23, 2010, 
letter to the Secretary providing comments on the NPRM, asked the 
Department to confirm that outsourced research review, approval, and 
continuing oversight functions (such as through using an external or 
independent Institutional Review Board) similarly do not give rise to a 
business associate relationship.
    Response: A person or entity is a business associate only in cases 
where the person or entity is conducting a function or activity 
regulated by the HIPAA Rules on behalf of a covered entity, such as 
payment or health care operations, or providing one of the services 
listed in the definition of ``business associate,'' and in the 
performance of such duties the person or entity has access to protected 
health information. Thus, an external researcher is not a business 
associate of a covered entity by virtue of its research activities, 
even if the covered entity has hired the researcher to perform the 
research. See https://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/239.html. Similarly, an external or independent 
Institutional Review Board is not a business associate of a covered 
entity by virtue of its performing research review, approval, and 
continuing oversight functions.
    However, a researcher may be a business associate if the researcher 
performs a function, activity, or service for a covered entity that 
does fall within the definition of business associate, such as the 
health care operations function of creating a de-identified or limited 
data set for the covered entity. See paragraph (6)(v) of the definition 
of ``health care operations.'' Where the researcher is also the 
intended recipient of the de-identified data or limited data set, the 
researcher must return or destroy the identifiers at the time the 
business associate relationship to create the data set terminates and 
the researcher now wishes to use the de-identified data or limited data 
set (subject to a data use agreement) for a research purpose.
    Comment: A few commenters asked for clarification as to whether the 
business associate provisions applied to banking and financial 
institutions. Commenters sought clarification as to whether the 
exemption at Sec.  1179 of the HIPAA statute for financial institutions 
was applicable to subcontractors.
    Response: This final rule is not intended to affect the status of 
financial institutions with respect to whether they are business 
associates. The HIPAA Rules, including the business associate 
provisions, do not apply to banking and financial institutions with 
respect to the payment processing activities identified in Sec.  1179 
of the HIPAA statute, for example, the activity of cashing a check or 
conducting a funds transfer. Section 1179 of HIPAA exempts certain 
activities of financial institutions from the HIPAA Rules, to the 
extent that these activities constitute authorizing, processing, 
clearing, settling, billing, transferring, reconciling, or collecting 
payments for health care or health plan premiums. However, a banking or 
financial institution may be a business associate where the institution 
performs functions above and beyond the payment processing activities 
identified above on behalf of a covered entity, such as performing 
accounts receivable functions on behalf of a health care provider.
    We clarify that our inclusion of subcontractors in the definition 
of business associate does not impact the exclusion of financial 
institutions from the definition of ``business associates'' when they 
are only conducting payment processing activities that fall under Sec.  
1179 of the HIPAA statute. Accordingly, a business associate need not 
enter into a business associate agreement with a financial institution 
that is solely conducting payment activities that are excluded under 
Sec.  1179.
    Comment: One commenter sought clarification of the status of a risk 
management group or malpractice insurance company that receives 
protected health information when contracted with a covered entity to 
mitigate the covered entity's risk and then contracts with legal groups 
to represent the covered entity during malpractice claims.
    Response: A business associate agreement is not required where a 
covered entity purchases a health plan product or other insurance, such 
as medical liability insurance, from an insurer. However, a business 
associate relationship could arise if the insurer is performing a 
function on behalf of, or providing services to, the covered entity 
that does not directly relate to the provision of insurance benefits, 
such as performing risk management or assessment activities or legal 
services for the covered entity, that involve access to protected 
health information.
b. Definition of ``Electronic Media''
Proposed Rule
    The term ``electronic media'' was originally defined in the 
Transactions and Code Sets Rule issued on August 17, 2000 (65 FR 50312) 
and was included in the definitions at Sec.  162.103. That definition 
was subsequently revised and moved to Sec.  160.103. The purpose of 
that revision was to clarify that the physical movement of electronic 
media from place to place is not limited to magnetic tape, disk, or 
compact disk, so as to allow for future technological innovation. We 
further clarified that transmission of information not in electronic 
form before the transmission (e.g., paper or voice) is not covered by 
this definition. See 68 FR 8339, Feb. 20, 2003.
    In the NPRM, we proposed to revise the definition of ``electronic 
media'' in the following ways. First, we proposed to revise paragraph 
(1) of the definition to replace the term ``electronic storage media'' 
with ``electronic storage material'' to conform the definition of 
``electronic media'' to its current usage, as set forth in the National 
Institute for Standards and Technology (NIST) ``Guidelines for Media 
Sanitization'' (Definition of Medium, NIST SP 800-88, Glossary B, p. 27 
(2006)). The NIST definition, which was updated subsequent to the 
issuance of the Privacy and Security Rules, was developed in 
recognition of the likelihood that the evolution of the development of 
new technology would make use of the term ``electronic storage media'' 
obsolete in that there may be ``storage material'' other than ``media'' 
that house electronic data. Second, we proposed to add to paragraph (2) 
of the definition of ``electronic media'' a reference to intranets, to 
clarify that intranets come within the definition. Third, we proposed 
to change the word ``because'' to ``if'' in the final sentence of 
paragraph (2) of the definition of ``electronic media.'' The definition 
assumed that no transmissions made by voice via telephone existed in 
electronic form before transmission; the evolution of technology has 
made this assumption obsolete since some voice technology is digitally 
produced from an information system and transmitted by phone.
Overview of Public Comments
    The Department received comments in support of the revised 
definition and the flexibility created to account for later 
technological developments. Certain other commenters raised concerns 
that changes to the definition could have unintended impacts when 
applied to the administrative transaction and code set requirements. 
One commenter specifically supported the change in language from 
``because'' to ``if,'' noting the distinction was important to provide 
protection for digital audio recordings containing protected health 
information. One commenter suggested including the

[[Page 5576]]

word ``immediately'' in the final sentence of paragraph (2) to indicate 
that fax transmissions are excluded from the definition of electronic 
media if the information being exchanged did not exist in electronic 
form immediately before the transmission. Several commenters sought 
clarification as to whether data that is retained in office machines, 
such as facsimiles and photocopiers, is subject to the Privacy and 
Security Rules.
Final Rule
    The final rule adopts the definition as proposed with two 
additional modifications. First, in paragraph (2) we remove the 
parenthetical language referring to ``wide open'' with respect to the 
Internet and ``using Internet technology to link a business with 
information accessible only to collaborating parties'' with respect to 
extranets and intranets. The parenthetical language initially helped 
clarify what was intended by key words within the definition. As these 
key words have become more generally understood and guidance has become 
available through the NIST regarding specific key terms, such as 
intranet, extranet, and internet, (see, for example, NIST IR 7298 
Revision 1, Glossary of Key Information Security Terms, February 2011, 
available at https://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf), we believe the parenthetical language is no 
longer helpful. Second, we do accept the recommendation that we alter 
the language in paragraph (2) to include the word ``immediately,'' to 
exclude transmissions when the information exchanged did not exist in 
electronic form immediately before transmission. This modification 
clarifies that a facsimile machine accepting a hardcopy document for 
transmission is not a covered transmission even though the document may 
have originated from printing from an electronic file.
    We do not believe these changes will have unforeseen impacts on the 
application of the term in the transactions and code sets requirements 
at Part 162.
    In response to commenters' concerns that photocopiers, facsimiles, 
and other office machines may retain electronic data, potentially 
storing protected health information when used by covered entities or 
business associates, we clarify that protected health information 
stored, whether intentionally or not, in photocopier, facsimile, and 
other devices is subject to the Privacy and Security Rules. Although 
such devices are not generally relied upon for storage and access to 
stored information, covered entities and business associates should be 
aware of the capabilities of these devices to store protected health 
information and must ensure any protected health information stored on 
such devices is appropriately protected and secured from inappropriate 
access, such as by monitoring or restricting physical access to a 
photocopier or a fax machine that is used for copying or sending 
protected health information. Further, before removal of the device 
from the covered entity or business associate, such as at the end of 
the lease term for a photocopier machine, proper safeguards should be 
followed to remove the electronic protected health information from the 
media.
c. Definition of ``Protected Health Information''
Proposed Rule
    For consistency with the proposed modifications to the period of 
protection for decedent information at Sec.  164.502(f) (discussed 
below), the Department proposed to modify the definition of ``protected 
health information'' at Sec.  160.103 to provide that the Privacy and 
Security Rules do not protect the individually identifiable health 
information of persons who have been deceased for more than 50 years.
Overview of Public Comment
    The public comments received on this proposal are discussed and 
responded to below in the section describing the modifications to Sec.  
164.502(f).
Final Rule
    For the reasons stated in the section regarding Sec.  164.502(f), 
the final rule adopts the proposed modification to the definition of 
``protected health information.''
d. Definition of ``State''
Proposed Rule
    The HITECH Act at section 13400 includes a definition of ``State'' 
to mean ``each of the several States, the District of Columbia, Puerto 
Rico, the Virgin Islands, Guam, American Samoa, and the Northern 
Mariana Islands.'' This definition varies from paragraph (2) of the 
HIPAA definition of ``State'' at Sec.  160.103, which does not include 
reference to American Samoa and the Northern Mariana Islands. Thus, for 
consistency with the definition applied to the HIPAA Rules by the 
HITECH Act, we proposed to add reference to American Samoa and the 
Commonwealth of the Northern Mariana Islands in paragraph (2) of the 
definition of ``State'' at Sec.  160.103.
Final Rule
    The Department did not receive substantive public comment on this 
proposal and the final rule adopts the proposed modifications to the 
definition of ``State.''
e. Other Changes to the Definitions in Section 160.103
    In addition to the changes discussed above, the final rule makes 
the following changes as proposed in the NPRM to various definitions in 
Sec.  160.103:
    (1) Relocates the definitions of ``administrative simplification 
provision,'' ``ALJ,'' ``civil money penalty,'' ``respondent,'' and 
``violation or violate'' from Sec.  160.302 to Sec.  160.103 for ease 
of reference;
    (2) Adds a reference to sections 13400-13424 of the HITECH Act to 
the definition of ``administrative simplification provision'';
    (3) Removes a comma from the definition of ``disclosure'' 
inadvertently inserted into the definition in a prior rulemaking;
    (4) Replaces the term ``individually identifiable health 
information'' with ``protected health information'' in the definition 
of ``standard'' to better reflect the scope of the Privacy and Security 
Rules;
    (5) Adds a reference to ``business associate'' following the 
reference to ``covered entity'' in the definitions of ``respondent'' 
and ``compliance date,'' in recognition of the potential liability 
imposed on business associates for violations of certain provisions of 
the Privacy and Security Rules by sections 13401 and 13404 of the Act; 
and
    (6) Revises the definition of ``workforce member'' in Sec.  160.103 
to make clear that the term includes the employees, volunteers, 
trainees, and other persons whose conduct, in the performance of work 
for a business associate, is under the direct control of the business 
associate, because some provisions of the Act and the Privacy and 
Security Rules place obligations on the business associate with respect 
to workforce members.
4. Subpart B--Preemption of State Law
a. Section 160.201--Statutory Basis
Proposed Rule
    We proposed to modify Sec.  160.201 regarding the statutory basis 
for the preemption of State law provisions to add a reference to 
section 264(c) of HIPAA, which contains the statutory basis for the 
exception to preemption at Sec.  160.203(b) for State laws that are 
more stringent than the HIPAA Privacy Rule. We also proposed to add a 
reference to

[[Page 5577]]

section 13421(a) of the HITECH Act, which applies HIPAA's preemption 
rules to the HITECH Act's privacy and security provisions. Finally, we 
proposed to re-title the provision to read ``Statutory basis'' instead 
of ``Applicability.''
Overview of Public Comments
    Several commenters expressed concerns about the lack of uniform 
Federal and State privacy laws and the resultant confusion and expense 
associated with determining which laws apply to a given circumstance, 
particularly as more and more health care entities operate across 
multiple state lines. Commenters recommended that the Department make 
efforts to engage States and other partners to examine divergent 
Federal and State requirements and to attempt to coordinate various 
disclosure rules to drive Federal-State consensus.
Final Rule
    The final rule adopts the proposed modifications. In response to 
the comments concerned with the lack of uniform Federal and State 
privacy laws, we note that the preemption provisions of the HIPAA Rules 
are based on section 1178 of the Social Security Act and section 
264(c)(2) of HIPAA. Through these statutory provisions, Congress made 
clear that the HIPAA privacy requirements are to supersede only 
contrary provisions of State law, and not even in all such cases, such 
as where the provision of State law provides more stringent privacy 
protections than the HIPAA Privacy Rule. Accordingly, the HIPAA Privacy 
Rule provides a Federal floor of privacy protections, with States free 
to impose more stringent privacy protections should they deem 
appropriate.
b. Section 160.202--Definitions
i. Definition of ``Contrary''
Proposed Rule
    The term ``contrary'' is defined in Sec.  160.202 to make clear 
when the preemption provisions of HIPAA apply to State law. For the 
reasons set forth on page 40875 of the July 2010 NPRM, we proposed to 
amend the definition of ``contrary'' by inserting references to 
business associates in paragraph (1) of the definition. We also 
expanded the reference to the HITECH statutory provisions in paragraph 
(2) of the definition to encompass all of the sections of subtitle D of 
the HITECH Act, rather than merely to section 13402, which was added by 
the breach notifications interim final rule. These changes would give 
effect to section 13421(a).
Final Rule
    The Department did not receive substantive public comment on this 
proposal. The final rule adopts the proposed modifications.
ii. Definition of ``More Stringent''
Proposed Rule
    The term ``more stringent'' is part of the statutory preemption 
language under HIPAA. HIPAA preempts State law that is contrary to a 
HIPAA privacy standard unless, among other exceptions, the State law is 
more stringent than the contrary HIPAA privacy standard. We proposed to 
amend the definition to add a reference to business associates.
Final Rule
    The Department did not receive substantive public comment on this 
proposal. The final rule adopts the proposed modification.

B. Subparts C and D of Part 160: Amendments to the Enforcement Rule

    Section 13410 of the HITECH Act made several amendments to the 
Social Security Act to strengthen the HIPAA Enforcement Rule, which 
applies to the Secretary's enforcement of all of the HIPAA 
Administrative Simplification Rules, as well as the Breach Notification 
Rule.
    On October 30, 2009, the Department issued an interim final rule 
(IFR) revising the Enforcement Rule to incorporate the provisions of 
section 13410(d) of the HITECH Act that took effect immediately to 
apply to violations of the HIPAA Rules occurring after the enactment 
date of February 18, 2009. See 74 FR 56123. In general, section 
13410(d) of the HITECH Act revised section 1176(a) of the Social 
Security Act to establish four categories of violations that reflect 
increasing levels of culpability and four corresponding tiers of 
penalty amounts that significantly increased the minimum penalty amount 
for each violation, with a maximum penalty amount of $1.5 million 
annually for all violations of an identical provision. Section 13410(d) 
also amended section 1176(b) of the Social Security Act by removing the 
previous affirmative defense to the imposition of penalties if the 
covered entity did not know and with the exercise of reasonable 
diligence would not have known of the violation (these violations are 
now punishable under the lowest tier of penalties), and by providing a 
prohibition on the imposition of penalties for any violation that is 
timely corrected, as long as the violation was not due to willful 
neglect. The IFR updated the HIPAA Enforcement Rule to reflect these 
statutory amendments. The IFR did not make amendments with respect to 
those enforcement provisions of section 13410 of the HITECH Act that 
were not effective immediately upon enactment.
    In its July 2010 NPRM, the Department proposed a number of 
additional modifications to the Enforcement Rule to reflect other 
provisions of section 13410 of the HITECH Act, some of which became 
effective on February 18, 2010, or were to become effective at a later 
date: (1) Requiring that the Secretary formally investigate complaints 
indicating violations due to willful neglect, and impose civil money 
penalties upon finding violations due to willful neglect; (2) making 
business associates of covered entities directly liable for civil money 
penalties for violations of certain provisions of the HIPAA Rules; (3) 
requiring the Secretary to determine civil money penalty amounts based 
upon the nature and extent of the harm resulting from a violation; and 
(4) providing that the Secretary's authority to impose a civil money 
penalty will be barred only to the extent a criminal penalty has been 
imposed with respect to an act under Section 1177, rather than in cases 
in which the act constitutes an offense that is criminally punishable 
under Section 1177.
    The following discussion describes the enforcement provisions of 
the IFR and the NPRM, responds to public comment received by the 
Department on both rules, and describes the final modifications to the 
Enforcement Rule adopted by this final rule. In addition to the 
modifications discussed below, this final rule also adopts the NPRM 
proposal to add the term ``business associate'' to the following 
provisions of the Enforcement Rule: Sec. Sec.  160.300; 160.304; 
160.306(a) and (c); 160.308; 160.310; 160.312; 160.316; 160.401; 
160.402; 160.404(b); 160.406; 160.408(c) and (d); and 160.410(a) and 
(c). This is done to implement sections 13401 and 13404 of the Act, 
which impose direct civil money penalty liability on business 
associates for their violations of certain provisions of the HIPAA 
Rules.

[[Page 5578]]

1. Subpart C of Part 160--Compliance and Investigations
a. Sections 160.304, 160.306, 160.308, and 160.312--Noncompliance Due 
to Willful Neglect
Proposed Rule
    Section 13410(a) of the HITECH Act adds a new subsection (c) to 
section 1176 of the Social Security Act, which requires the Department 
to formally investigate a complaint if a preliminary investigation of 
the facts of the complaint indicates a possible violation due to 
willful neglect (section 1176(c)(2)) and to impose a civil money 
penalty for a violation due to willful neglect (section 1176(c)(1)). 
The Department proposed a number of modifications to Subpart C of the 
Enforcement Rule to implement these provisions.
    First, Sec.  160.306(c) of the Enforcement Rule currently provides 
the Secretary with discretion to investigate HIPAA complaints through 
the use of the word ``may.'' As a practical matter, however, the 
Department currently conducts a preliminary review of every complaint 
received and proceeds with the investigation in every eligible case 
where its preliminary review of the facts indicates a possible 
violation of the HIPAA Rules. Nonetheless, to implement section 
1176(c)(2), the Department proposed to add a new paragraph (1) to Sec.  
160.306(c) (and to make conforming changes to the remainder of Sec.  
160.306(c)) to make clear that the Secretary will investigate any 
complaint filed under this section when a preliminary review of the 
facts indicates a possible violation due to willful neglect. Under 
proposed Sec.  160.306(c)(2), the Secretary would have continued 
discretion with respect to investigating any other complaints.
    Second, the Department proposed to modify Sec.  160.308 by adding a 
new paragraph (a) to provide that the Secretary will conduct a 
compliance review to determine whether a covered entity or business 
associate is complying with the applicable administrative 
simplification provision when a preliminary review of the facts 
indicates a possible violation due to willful neglect. Like Sec.  
160.306(c) with respect to complaints, the current Sec.  160.308(c) 
provides the Secretary with discretion to conduct compliance reviews. 
While section 13410(a) of the HITECH Act specifically mentions 
complaints and not compliance reviews with respect to willful neglect, 
the Department proposed to treat compliance reviews in the same manner 
because it believed doing so would strengthen enforcement with respect 
to potential violations of willful neglect and would ensure that 
investigations, whether or not initiated by a complaint, would be 
handled in a consistent manner. Under proposed Sec.  160.308(b), the 
Secretary would continue to have discretion to conduct compliance 
reviews in circumstances not indicating willful neglect.
    Third, given the HITECH Act's requirement that the Secretary impose 
a penalty for any violation due to willful neglect, the Department 
proposed changes to Sec.  160.312, which currently requires the 
Secretary to attempt to resolve investigations or compliance reviews 
indicating noncompliance by informal means. The NPRM proposed to 
provide instead in Sec.  160.312(a) that the Secretary ``may'' rather 
than ``will'' attempt to resolve investigations or compliance reviews 
indicating noncompliance by informal means. This change would permit 
the Department to proceed with a willful neglect violation 
determination as appropriate, while also permitting the Department to 
seek resolution of complaints and compliance reviews that did not 
indicate willful neglect violations by informal means (e.g., where the 
covered entity or business associate did not know and by exercising 
reasonable diligence would not have known of a violation, or where the 
violation is due to reasonable cause).
    Finally, the Department proposed a conforming change to Sec.  
160.304(a), which currently requires the Secretary to seek, to the 
extent practicable, the cooperation of covered entities in obtaining 
compliance with the HIPAA Rules. The NPRM proposed to clarify that the 
Secretary would continue to do so ``consistent with the provisions of 
this subpart'' in recognition of the new HITECH Act requirement to 
impose a civil money penalty for a violation due to willful neglect. 
While the Secretary often will still seek to correct indications of 
noncompliance through voluntary corrective action, there may be 
circumstances (such as circumstances indicating willful neglect), where 
the Secretary may proceed directly to formal enforcement.
Overview of Public Comments
    One commenter supported maintaining the current language at 
Sec. Sec.  160.306 and 160.308 of the Enforcement Rule, providing the 
Secretary with discretion to conduct complaint investigations and 
compliance reviews, regardless of indications of willful neglect. One 
commenter suggested that OCR look to whether facts indicate a 
``probable,'' rather than ``possible,'' violation due to willful 
neglect to limit the likelihood of unnecessary formal investigations or 
compliance reviews. While one commenter supported the proposal to 
require a compliance review in circumstances indicating a possible 
violation due to willful neglect, others argued that requiring 
compliance reviews in such circumstances is not required by the 
statute, will detract from resources to investigate complaints, and 
will be duplicative if a formal complaint investigation is also 
underway.
    Several commenters expressed concern over the proposal at Sec.  
160.312(a) to give the Secretary discretion, rather than to require the 
Secretary, to attempt to resolve investigations or compliance reviews 
indicating noncompliance by informal means, even in cases of 
noncompliance that did not involve willful neglect (e.g., cases 
involving reasonable cause or lack of knowledge of a violation). 
Commenters indicated support for the Department's seeking compliance 
through voluntary corrective action as opposed to formal enforcement 
proceedings and argued that the Department should retain the 
requirement for the Secretary to attempt informal resolution in all 
circumstances except those involving willful neglect. One commenter 
recommended that the Secretary be able to assess penalties regardless 
of whether corrective action was obtained.
Final Rule
    The final rule adopts the modifications to Sec. Sec.  160.304, 
160.306, 160.308, and 160.312, as proposed in the NPRM. The Department 
believes these changes to the enforcement provisions to be appropriate 
given the HITECH Act's requirements at section 13410(a) with respect to 
circumstances indicating or involving noncompliance due to willful 
neglect. We do not provide in the Rule that the Secretary will 
investigate when a preliminary review of the facts indicates a 
``probable'' rather than ``possible'' violation due to willful neglect 
as the statute requires an investigation even in cases indicating a 
``possible'' violation due to willful neglect. In response to 
commenters concerned about requiring the Secretary to conduct 
compliance reviews in circumstances in which facts indicate a possible 
violation due to willful neglect, we continue to believe that, while 
not expressly required by the statute, doing so appropriately 
strengthens enforcement with respect to violations due to willful 
neglect and ensures consistency in the handling of complaints and 
compliance reviews in

[[Page 5579]]

which violations due to willful neglect are indicated. We emphasize 
that the Department retains discretion to decide whether to conduct a 
compliance review (or complaint investigation) where a preliminary 
review of the facts indicates a degree of culpability less than willful 
neglect. Further, with respect to commenter concerns about duplication 
between complaint investigations and compliance reviews, we clarify 
that the Department generally conducts compliance reviews to 
investigate allegations of violations of the HIPAA Rules brought to the 
Department's attention through a mechanism other than a complaint. For 
example, the Department may use a compliance review to investigate 
allegations of violations of the Rules brought to our attention through 
a media report, or from a State or another Federal agency. If the 
Department initiates an investigation of a complaint because its 
preliminary review of the facts indicates a possible violation due to 
willful neglect, the Department is not also required to initiate a 
compliance review under Sec.  160.308 because doing so would initiate a 
duplicative investigation.
    With respect to Sec.  160.312, where the Rule previously mandated 
that the Secretary attempt to resolve indicated violations of the HIPAA 
Rules by informal means, the final rule now provides the Secretary with 
the discretion to do so, to reflect Section 13410 of the HITECH Act 
with regard to violations due to willful neglect. Nothing in Section 
13410 of the HITECH Act limits the Secretary's ability to resolve such 
cases by informal means. However, through its introduction of higher 
penalties and its mandate for formal investigations with regard to 
possible violations due to willful neglect, Section 13410 strengthens 
enforcement and accordingly we have revised Sec.  160.312 so that the 
Secretary may move directly to a civil money penalty without exhausting 
informal resolution efforts at her discretion, particularly in cases 
involving willful neglect violations.
Response to Other Public Comments
    Comment: A number of commenters requested further clarification on 
the scope and depth of what constitutes a ``preliminary review of the 
facts'' for purposes of determining whether facts indicate a possible 
violation due to willful neglect and thus, warrant a formal complaint 
investigation or compliance review. Certain commenters suggested that a 
preliminary review of the facts should go beyond merely a review of the 
allegations asserted in a complaint.
    Response: As noted above, currently the Department conducts a 
preliminary review of every complaint received and proceeds with the 
investigation in every eligible case where its preliminary review of 
the facts indicates a possible violation of the HIPAA Rules. The 
Department anticipates that some complaints, on their face, or reports 
or referrals that form the basis of a potential compliance review, will 
contain sufficient information to indicate a possible violation due to 
willful neglect, and some may not. In any event, the Department may on 
a case-by-case basis expand the preliminary review and conduct 
additional inquiries for purposes of identifying a possible violation 
due to willful neglect. Notwithstanding the scope of a preliminary 
review, OCR will determine if an indicated violation was due to willful 
neglect based on the evidence from its investigation of the 
allegations, even if a violation due to willful neglect was not 
indicated at the preliminary review stage.
b. Section 160.310--Protected Health Information Obtained by the 
Secretary
Proposed Rule
    Section 160.310 requires that covered entities make information 
available to and cooperate with the Secretary during complaint 
investigations and compliance reviews. Section 160.310(c)(3) provides 
that any protected health information obtained by the Secretary in 
connection with an investigation or compliance review will not be 
disclosed by the Secretary, except as necessary for determining and 
enforcing compliance with the HIPAA Rules or as otherwise required by 
law. In the proposed rule, we proposed to modify this paragraph to also 
allow the Secretary to disclose protected health information if 
permitted under the Privacy Act at 5 U.S.C. 552a(b)(7). Section 5 
U.S.C. 552a(b)(7) permits the disclosure of a record on an individual 
contained within a government system of records protected under the 
Privacy Act to another agency or instrumentality of any governmental 
jurisdiction within or under the control of the United States for a 
civil or criminal law enforcement activity if the activity is 
authorized by law and if the agency has made a written request to the 
agency that maintains the record. The proposed change would permit the 
Secretary to coordinate with other law enforcement agencies, such as 
the State Attorneys General pursuing civil actions to enforce the HIPAA 
Rules on behalf of State residents pursuant to section 13410(e) of the 
Act, or the FTC pursuing remedies under other consumer protection 
authorities.
Overview of Public Comments
    One commenter requested clarification and transparency on how or if 
Federal regulators such as OCR and the FTC will collaborate, when such 
information sharing will be initiated or occur as a routine process, or 
whether Federal and State agencies will work together to enforce 
suspected violations.
Final Rule
    To facilitate cooperation between the Department and other law 
enforcement agencies, the final rule adopts the modifications to Sec.  
160.310(c)(3) as proposed in the NPRM. In response to the comment 
regarding transparency in how the Department is or will cooperate with 
other agencies in enforcement, we note that the Department's web site 
at https://www.hhs.gov/ocr/enforcement/ contains information about how 
the Department coordinates with the Department of Justice to refer 
cases involving possible criminal HIPAA violations and how the 
Department has worked with the FTC to coordinate enforcement actions 
for violations that implicate both HIPAA and the FTC Act. Further, the 
Department will be working closely with State Attorneys General to 
coordinate enforcement in appropriate cases, as provided under section 
13410(e) of the HITECH Act. The Department will continue to update its 
web site as necessary and appropriate to maintain transparency with the 
public and the regulated community about these coordinated activities 
and its other enforcement actions and activities.
2. Subpart D--Imposition of Civil Money Penalties
a. Section 160.401--Definitions
    Section 160.401 defines ``reasonable cause,'' ``reasonable 
diligence,'' and ``willful neglect.'' Given that section 13410(d) of 
the HITECH Act uses these terms to describe the increasing levels of 
culpability for which increasing minimum levels of penalties may be 
imposed, the Department moved these definitions in the IFR from their 
prior placement at Sec.  160.410, which pertains only to affirmative 
defenses, to Sec.  160.401, so that they would apply to the entirety of 
Subpart D of Part 160 and the provisions regarding the imposition of 
civil money penalties. The IFR did not modify the definitions 
themselves as the HITECH Act did not amend the definitions.
    Even though the HITECH Act did not amend the definitions of these 
terms,

[[Page 5580]]

the Department in its NPRM proposed certain modifications to the 
definition of ``reasonable cause'' to clarify the mens rea (state of 
mind) required for this category of violations, and to avoid the 
situation where certain violations would not fall within one of the 
established penalty tiers. This modification is discussed below. The 
Department did not propose modifications to the definitions of 
``reasonable diligence'' and ``willful neglect.''
    In the NPRM, the Department also included examples and guidance as 
to how the Department planned to apply the definitions of ``reasonable 
cause,'' ``reasonable diligence,'' and ``willful neglect'' to 
distinguish among the tiers of culpability. 75 FR 40877-40879. As 
commenters generally found this guidance helpful, the Department 
intends to publish the guidance on its web site.
Modifications to the Definition of ``Reasonable Cause''
Proposed Rule
    Reasonable cause is currently defined at Sec.  160.401 to mean: 
``circumstances that would make it unreasonable for the covered entity, 
despite the exercise of ordinary business care and prudence, to comply 
with the administrative simplification provision violated.'' This 
definition is consistent with the Supreme Court's ruling in United 
States v. Boyle, 469 U.S. 241, 245 (1985), which focused on whether 
circumstances were beyond the regulated person's control, thereby 
making compliance unreasonable. See 70 FR 20224, 20238. Prior to the 
HITECH Act, section 1176 of the Social Security Act provided an 
affirmative defense to the imposition of a civil money penalty if the 
covered entity established that its violation was due to reasonable 
cause and not willful neglect and was corrected within a 30-day period 
(or such additional period determined by the Secretary to be 
appropriate).
    As described above, section 13410(d) of the HITECH Act revised 
section 1176 of the Social Security Act to establish four tiers of 
increasing penalty amounts to correspond to the levels of culpability 
associated with the violation. The first category of violation (and 
lowest penalty tier) covers situations where the covered entity or 
business associate did not know, and by exercising reasonable diligence 
would not have known, of a violation. The second category of violation 
(and next highest penalty tier) applies to violations due to reasonable 
cause and not to willful neglect. The third and fourth categories apply 
to circumstances where the violation was due to willful neglect that is 
corrected within a certain time period (second highest penalty tier) 
and willful neglect that is not corrected (highest penalty tier). The 
mens rea, or state of mind, associated with the tiers is clear with 
respect to the first, third, and fourth categories, in that there is no 
mens rea with respect to the lowest category of violation, while the 
existence of mens rea is presumed with respect to the third and fourth 
categories of violation.
    However, the current definition of ``reasonable cause'' does not 
address mens rea with respect to the second category of violations. 
Therefore, the Department proposed to amend the definition of 
``reasonable cause'' at Sec.  160.401 to clarify the mens rea 
associated with the reasonable cause category of violations and to 
clarify the full scope of violations that will come within the 
category. Specifically, the Department proposed to modify the 
definition of ``reasonable cause'' to mean ``an act or omission in 
which a covered entity or business associate knew, or by exercising 
reasonable diligence would have known, that the act or omission 
violated an administrative simplification provision, but in which the 
covered entity or business associate did not act with willful 
neglect.'' Thus, the proposed definition would now include violations 
due both to circumstances that would make it unreasonable for the 
covered entity or business associate, despite the exercise of ordinary 
business care and prudence, to comply with the administrative 
simplification provision violated, as well as to other circumstances in 
which a covered entity or business associate has knowledge of a 
violation but lacks the conscious intent or reckless indifference 
associated with the willful neglect category of violations.
Overview of Public Comments
    Commenters addressing the definition of ``reasonable cause'' 
expressed general support for the proposed clarifications to the scope 
of this category of violations.
Final Rule
    The final rule adopts the proposed modifications to the definition.
b. Section 160.402--Basis for a Civil Money Penalty
Proposed Rule
    Section 160.402(a) states generally that the Secretary will impose 
a civil money penalty upon a covered entity if the Secretary determines 
that the covered entity violated an administrative simplification 
provision. Section 164.402, in paragraphs (b) and (c), provides the 
basis for a civil money penalty against a covered entity where more 
than one covered entity is responsible for a violation, where an 
affiliated covered entity is responsible for a violation, and where an 
agent of a covered entity is responsible for a violation.
    The proposed rule proposed to remove the exception at Sec.  
160.402(c) for covered entity liability for the acts of its agent in 
cases where the agent is a business associate, the relevant contract 
requirements have been met, the covered entity did not know of a 
pattern or practice of the business associate in violation of the 
contract, and the covered entity did not fail to act as required by the 
Privacy or Security Rule with respect to such violations. The proposed 
rule also proposed to add a parallel provision in a new paragraph (2) 
at Sec.  160.402(c) that would provide for civil money penalty 
liability against a business associate for the acts of its agent. The 
existing language of Sec.  160.402(c) regarding the liability of 
covered entities for the acts of their agents would be re-designated as 
paragraph (1).
    These proposed changes would make covered entities and business 
associates liable under Sec.  160.402(c) for the acts of their business 
associate agents, in accordance with the Federal common law of agency, 
regardless of whether the covered entity has a compliant business 
associate agreement in place. Section 160.402(c) closely tracks the 
language in section 1128A(l) of the Social Security Act, which is made 
applicable to HIPAA by section 1176(a)(2) of such Act, which states 
that ``a principal is liable for penalties * * * under this section for 
the actions of the principal's agents acting within the scope of the 
agency.'' One reason for removing the exception to the general 
provision at Sec.  160.402(c), as we explained in the NPRM, is to 
ensure, where a covered entity or business associate has delegated out 
an obligation under the HIPAA Rules, that a covered entity or business 
associate would remain liable for penalties for the failure of its 
business associate agent to perform the obligation on the covered 
entity or business associate's behalf.
Overview of Public Comments
    Several commenters requested that the Department clarify and 
provide additional guidance regarding how the Federal common law of 
agency applies to business associate relationships. These commenters 
expressed an overall concern that applying the Federal common law of 
agency to business

[[Page 5581]]

associate relationships would add unnecessary confusion to and place an 
undue burden on business associate relationships. Several commenters 
argued that the proposed change would require covered entities and 
business associates to determine whether their business associates or 
business associate subcontractors are agents, resulting in costly and 
burdensome challenges when drafting business associate contracts and 
monitoring ongoing relationships. One commenter argued that the Federal 
common law of agency should not be applied to covered entity and 
business associate relationships because it does not generally control 
when the parties have entered into a contractual agreement that 
specifies their respective rights and obligations. Instead, the 
commenter argued, the contractual provisions control, and are 
interpreted and enforced in accordance with State law specified by the 
contract.
Final Rule
    This final rule adopts the proposed modifications to Sec.  
160.402(c). We do not believe that this change will place an undue 
burden on covered entities and business associates. As we explained in 
the NPRM, a covered entity's liability for acts of its agents is 
customary under common law. See 75 FR 40880. Further, section 1128A(l) 
of the Social Security Act, applicable to HIPAA covered entities and 
now business associates by section 1176(a)(2) of the Act, states that a 
principal is liable for civil money penalties for the actions of the 
principal's agent acting within the scope of agency. Before the changes 
to Sec.  160.402(c) were finalized in this rule, if a covered entity 
failed to comply with the business associate provisions in the HIPAA 
Rules, a covered entity potentially would have been liable for the 
actions of its business associate agent. Thus, we believe that the 
notion that a principal is liable for the acts of its agent should not 
be an unfamiliar concept to covered entities and business associates. 
However, we appreciate and understand the commenters' concerns and take 
this opportunity to provide additional guidance.
    While section 1128A(l) is silent as to how to define ``principal,'' 
``agent,'' and ``scope of agency,'' Sec.  160.402(c) references the 
Federal common law of agency. As we explained in the Enforcement Rule 
preamble, 71 FR 8390, 8403-04, adopting the Federal common law to 
determine the definitions and application of these terms achieves 
nationwide uniformity in the implementation of the HIPAA Rules. We 
believe that relying on the Federal common law is particularly 
important because of HIPAA's express objective of furthering the 
efficiency and effectiveness of the health care system as a whole. 
Further, adopting the Federal common law here is consistent with the 
precept that Federal statutes are meant to have uniform nationwide 
application. Therefore, we disagree with the comment that argued that 
Federal common law should not be applied with respect to relationships 
between covered entities and business associates.
    An analysis of whether a business associate is an agent will be 
fact specific, taking into account the terms of a business associate 
agreement as well as the totality of the circumstances involved in the 
ongoing relationship between the parties. The essential factor in 
determining whether an agency relationship exists between a covered 
entity and its business associate (or business associate and its 
subcontractor) is the right or authority of a covered entity to control 
the business associate's conduct in the course of performing a service 
on behalf of the covered entity. The right or authority to control the 
business associate's conduct also is the essential factor in 
determining whether an agency relationship exists between a business 
associate and its business associate subcontractor. Accordingly, this 
guidance applies in the same manner to both covered entities (with 
regard to their business associates) and business associates (with 
regard to their subcontractors).
    The authority of a covered entity to give interim instructions or 
directions is the type of control that distinguishes covered entities 
in agency relationships from those in non-agency relationships. A 
business associate generally would not be an agent if it enters into a 
business associate agreement with a covered entity that sets terms and 
conditions that create contractual obligations between the two parties. 
Specifically, if the only avenue of control is for a covered entity to 
amend the terms of the agreement or sue for breach of contract, this 
generally indicates that a business associate is not acting as an 
agent. In contrast, a business associate generally would be an agent if 
it enters into a business associate agreement with a covered entity 
that granted the covered entity the authority to direct the performance 
of the service provided by its business associate after the 
relationship was established. For example, if the terms of a business 
associate agreement between a covered entity and its business associate 
stated that ``a business associate must make available protected health 
information in accordance with Sec.  164.524 based on the instructions 
to be provided by or under the direction of a covered entity,'' then 
this would create an agency relationship between the covered entity and 
business associate for this activity because the covered entity has a 
right to give interim instructions and direction during the course of 
the relationship. An agency relationship also could exist between a 
covered entity and its business associate if a covered entity contracts 
out or delegates a particular obligation under the HIPAA Rules to its 
business associate. As discussed above, whether or not an agency 
relationship exists in this circumstance again would depend on the 
right or authority to control the business associate's conduct in the 
performance of the delegated service based on the right of a covered 
entity to give interim instructions.
    While these principles are well established under the Federal 
common law of agency, we again note that any analysis regarding scope 
of agency depends on the facts of each circumstance. Several factors 
are important to consider in any analysis to determine the scope of 
agency: (1) The time, place, and purpose of a business associate 
agent's conduct; (2) whether a business associate agent engaged in a 
course of conduct subject to a covered entity's control; (3) whether a 
business associate agent's conduct is commonly done by a business 
associate to accomplish the service performed on behalf of a covered 
entity; and (4) whether or not the covered entity reasonably expected 
that a business associate agent would engage in the conduct in 
question.
    The terms, statements, or labels given to parties (e.g., 
independent contractor) do not control whether an agency relationship 
exists. Rather, the manner and method in which a covered entity 
actually controls the service provided decides the analysis. As 
mentioned above, an analysis of whether a business associate is an 
agent will be fact specific and consider the totality of the 
circumstances involved in the ongoing relationship between the parties. 
We note here several circumstances that are important. The type of 
service and skill level required to perform the service are relevant 
factors in determining whether a business associate is an agent. For 
example, a business associate that is hired to perform de-
identification of protected health information for a small provider 
would likely not be an agent because the small provider likely would 
not have the expertise to provide interim instructions regarding this 
activity to the business associate. Also, an agency relationship would 
not likely exist when a covered entity is legally or

[[Page 5582]]

otherwise prevented from performing the service or activity performed 
by its business associate. For example, the accreditation functions 
performed by a business associate cannot be performed by a covered 
entity seeking accreditation because a covered entity cannot perform an 
accreditation survey or award accreditation. We also note that a 
business associate can be an agent of a covered entity: (1) Despite the 
fact that a covered entity does not retain the right or authority to 
control every aspect of its business associate's activities; (2) even 
if a covered entity does not exercise the right of control but evidence 
exists that it holds the authority to exercise that right; and (3) even 
if a covered entity and its business associate are separated by 
physical distance (e.g., if a covered entity and business associate are 
located in different countries).
Response to Other Public Comments
    Comment: One commenter asked whether the Department intends to 
eliminate the exceptions afforded by the Federal common law of agency. 
This commenter also argued that if a business associate were an agent 
of a covered entity, and a HIPAA compliant business associate agreement 
was in place, any deviation from the terms in the agreement would be by 
definition outside the scope of agency.
    Response: As we discussed above, Sec.  160.402(c) provides that 
covered entities and business associates are liable for the acts of 
their business associate agents, in accordance with the Federal common 
law of agency. Section 160.402(c) is derived from section 1128A(l) of 
the Social Security Act which states that ``a principal is liable for 
penalties * * * under this section for the actions of the principal's 
agents acting within the scope of the agency.'' Accordingly, Sec.  
160.402(c) incorporates the Federal common law of agency, which 
includes the understanding that for a principal to be liable for the 
actions of an agent, the agent must be acting within the scope of 
agency. Thus, the exceptions to the Federal common law of agency (as 
the commenter identified them) are incorporated in the final rule at 
Sec.  160.402(c).
    We do not agree with the commenter that any deviation from the 
terms in a business associate contract would be by definition outside 
the scope of agency. A business associate agent's conduct generally is 
within the scope of agency when its conduct occurs during the 
performance of the assigned work or incident to such work, regardless 
of whether the work was done carelessly, a mistake was made in the 
performance, or the business associate disregarded a covered entity's 
specific instruction. For example, a business associate agent would 
likely be acting within the scope of agency if it impermissibly 
disclosed more than the minimum necessary information to a health plan 
for purposes of payment, even if the disclosure is contrary to clear 
instructions of the covered entity. In contrast, a business associate 
agent's conduct generally is outside the scope of agency when its 
conduct is solely for its own benefit (or that of a third party), or 
pursues a course of conduct not intended to serve any purpose of the 
covered entity.
    Comment: One commenter stated that the proposed change would impose 
strict liability on covered entities for the actions of third parties 
not under their control. Another commenter stated that an agent would 
always fall within the scope of a workforce member, which by definition 
is not a business associate.
    Response: We disagree with both comments and believe that the 
comments may reflect a misunderstanding of the proposed change. First, 
as explained above, Sec.  160.402(c) closely tracks the language in 
section 1128A(l) of the Social Security Act, which is made applicable 
to HIPAA by section 1176(a)(2) of such Act. It does not make a covered 
entity or business associate liable for the acts of third parties that 
are not under its control because such third parties are not its 
agents. With regard to the second comment, an agent could always fall 
within the definition of a workforce member because of the direct 
control requirement in that definition, but the definition of business 
associate excludes a workforce member. This definitional exclusion 
allows the covered entity to determine whether, for example, to provide 
training to the agent under the Privacy Rule. A covered entity would be 
required to provide training to a workforce member but not to a 
business associate agent. However, the covered entity is required to 
enter into a business associate agreement with a business associate 
agent that it does not treat as a workforce member. The proposed change 
to Sec.  160.402(c) simply makes the covered entity or business 
associate liable for the acts of its agents acting within the scope of 
agency, whether the agents are workforce members or business 
associates. See the definitions of ``business associate'' and 
``workforce member'' at Sec.  160.103.
c. Section 160.404--Amount of a Civil Monetary Penalty
Interim Final Rule
    The IFR amended Sec.  160.404 to revise the range of potential 
civil money penalty amounts a covered entity (or business associate) 
will be subject to for violations occurring on or after February 18, 
2009, as a result of section 13410(d) of the HITECH Act.
    Prior to the HITECH Act, section 1176(a) of the Social Security Act 
authorized the Secretary to impose a civil money penalty of not more 
than $100 for each violation, with the total amount imposed on a 
covered entity for all violations of an identical requirement or 
prohibition during a calendar year not to exceed $25,000. As described 
above, section 13410(d) of the HITECH Act modified section 1176(a) to 
establish tiers of increasing penalty amounts for violations based on 
increasing levels of culpability associated with each tier.
    Accordingly, the IFR adopted at Sec.  160.404(b) the new penalty 
scheme provided for at section 13410(d) of the HITECH Act for 
violations occurring on or after February 18, 2009. The IFR retained 
the pre-HITECH maximum penalty amounts of not more than $100 per 
violation and $25,000 for identical violations during a calendar year, 
for violations occurring before February 18, 2009.
    In adopting the HITECH Act's penalty scheme, the Department 
recognized that section 13410(d) contained apparently inconsistent 
language (i.e., its reference to two penalty tiers ``for each 
violation,'' each of which provided a penalty amount ``for all such 
violations'' of an identical requirement or prohibition in a calendar 
year). To resolve this inconsistency, with the exception of violations 
due to willful neglect that are not timely corrected, the IFR adopted a 
range of penalty amounts between the minimum given in one tier and the 
maximum given in the second tier for each violation and adopted the 
amount of $1.5 million as the limit for all violations of an identical 
provision of the HIPAA rules in a calendar year. For violations due to 
willful neglect that are not timely corrected, the IFR adopted the 
penalty amount of $50,000 as the minimum for each violation and $1.5 
million for all such violations of an identical requirement or 
prohibition in a calendar year.
    Specifically, the IFR revised Sec.  160.404 to provide, for 
violations occurring on or after February 18, 2009, the new HITECH 
penalty scheme, as follows: (1) For violations in which it is 
established that the covered entity did not know

[[Page 5583]]

and, by exercising reasonable diligence, would not have known that the 
covered entity violated a provision, an amount not less than $100 or 
more than $50,000 for each violation; (2) for a violation in which it 
is established that the violation was due to reasonable cause and not 
to willful neglect, an amount not less than $1000 or more than $50,000 
for each violation; (3) for a violation in which it is established that 
the violation was due to willful neglect and was timely corrected, an 
amount not less than $10,000 or more than $50,000 for each violation; 
and (4) for a violation in which it is established that the violation 
was due to willful neglect and was not timely corrected, an amount not 
less than $50,000 for each violation; except that a penalty for 
violations of the same requirement or prohibition under any of these 
categories may not exceed $1,500,000 in a calendar year. See Table 2 
below.

    Table 2--Categories of Violations and Respective Penalty Amounts
                                Available
------------------------------------------------------------------------
                                                     All such violations
 Violation category--Section                           of an identical
         1176(a)(1)              Each violation        provision in a
                                                        calendar year
------------------------------------------------------------------------
(A) Did Not Know............          $100-$50,000            $1,500,000
(B) Reasonable Cause........          1,000-50,000             1,500,000
(C)(i) Willful Neglect-              10,000-50,000             1,500,000
 Corrected..................
(C)(ii) Willful Neglect-Not                 50,000             1,500,000
 Corrected..................
------------------------------------------------------------------------

    In applying these amounts, the Department will not impose the 
maximum penalty amount in all cases but rather will determine the 
penalty amounts as required by the statute at section 1176(a)(1) and 
the regulations at Sec.  160.408 (i.e., based on the nature and extent 
of the violation, the nature and extent of the resulting harm, and the 
other factors set forth at Sec.  160.408).
    Further, for counting violations, the Department continues to 
utilize the methodology discussed in prior preambles of the Enforcement 
Rule. See 70 FR 20224, 20233-55 (April 18, 2005) and 71 FR 8390, 8404-
07 (February 16, 2006). For violations that began prior to February 18, 
2009, and continue after that date, the Department will treat 
violations occurring before February 18, 2009, as subject to the 
penalties in effect prior to February 18, 2009, and violations 
occurring on or after February 18, 2009, as subject to the penalties in 
effect on or after February 18, 2009.
Overview of Public Comments
    Most comments on the civil money penalty amounts expressed concern 
with the new penalty structure set forth in the IFR. A few of these 
commenters expressed a generalized concern about the potential impact 
the available penalty amounts might have on covered entities, 
particularly smaller entities. One commenter argued that the Secretary 
should not fine entities for violations of which a covered entity had 
no knowledge or those due to reasonable cause, and that civil money 
penalties should only be imposed as a last resort. A few commenters 
expressed concern with the Secretary's wide range of discretion in 
determining a civil money penalty amount and suggested that the 
regulations or guidance should further define how the Secretary would 
determine such an amount.
    Some commenters specifically expressed concern about the maximum 
penalty amounts set forth for each violation (i.e., $50,000) and for 
all violations of an identical provision in a calendar year 
($1,500,000). Commenters argued that the IFR's penalty scheme is 
inconsistent with the HITECH Act's establishment of different tiers 
based on culpability because the outside limits were the same for all 
culpability categories and this ignored the outside limits set forth by 
the HITECH Act within the lower penalty tiers, rendering those limits 
meaningless. A few commenters expressed particular concern with what 
they believed to be the unfair ability of the Secretary to impose the 
maximum penalty amounts to violations falling within the two lowest 
categories of culpability (i.e., did not know violations and violations 
due to reasonable cause and not willful neglect).
Final Rule
    This final rule retains the revised penalty structure in Sec.  
160.404(b) as implemented by the IFR. We continue to believe the 
penalty amounts are appropriate and reflect the most logical reading of 
the HITECH Act, which provides the Secretary with discretion to impose 
penalties for each category of culpability up to the maximum amount 
described in the highest penalty tier.
    With respect to those comments expressing concern about the 
discretion available to the Secretary under the adopted scheme we 
emphasize again that the Department will not impose the maximum penalty 
amount in all cases but will rather determine the amount of a penalty 
on a case-by-case basis, depending on the nature and extent of the 
violation and the nature and extent of the resulting harm, as required 
by the HITECH Act, as well as the other factors set forth at Sec.  
160.408. In response to those commenters particularly concerned about 
the impact of penalties on smaller entities, we note that the other 
factors include both the financial condition and size of the covered 
entity or business associate. These factors are discussed more fully 
below.
    In addition, with respect to comments expressing specific concern 
about fairness regarding those violations of which an entity did not 
know or by exercising reasonable diligence would not have known or for 
which there was a reasonable cause and not willful neglect, we note 
that in both cases an entity may establish that an affirmative defense 
applies under Sec.  160.410, where the entity corrects the violation 
within 30 days from the date the entity had knowledge of the violation 
or with the exercise of reasonable diligence would have had knowledge 
of the violation, or during a period determined appropriate by the 
Secretary based upon the nature and extent of the entity's failure to 
comply. These affirmative defenses are described more fully below.
    In addition, Section 13410(d) of the HITECH Act and Section 1176(a) 
of the Social Security Act, give the Secretary further ability to waive 
a civil money penalty, in whole or in part, under certain 
circumstances. Thus, to the extent an entity fails to correct such 
violations within the mandated timeframe, the Secretary may also 
utilize her waiver authority provided for at Sec.  160.412, to waive 
the penalty amount in whole or in part, to the extent that payment of 
the penalty would be excessive relative to the violation.
    Further, pursuant to 42 U.S.C. 1320a-7a(f), the Secretary always 
has the discretion to settle any issue or case or to compromise the 
amount of a civil money penalty assessed for a violation of the HIPAA 
Rules.

[[Page 5584]]

    Finally, in the event an entity believes that a civil money penalty 
has been imposed unfairly, the entity could exercise its right under 
Sec.  160.504 to appeal the imposition of a civil money penalty in a 
hearing before an administrative law judge.
Response to Other Public Comments
    Comment: We received a few comments in response to the IFR and NPRM 
requesting clarification as to how the Secretary will count violations 
for purposes of calculating civil money penalties. One commenter 
requested clarification as to how the numbers of ``occurrences'' are 
determined, suggesting that penalties could be very significant, and 
vary significantly, depending on the counting methodology utilized. The 
Department also received one comment asking whether a violation is 
defined as one event. This commenter queried, for example, whether the 
loss of unsecured electronic media would be considered as a single 
violation, even if the media contained several hundred records. The 
commenter also asked for confirmation that $1,500,000 is the aggregate 
limit of all fines for all violations in a given calendar year which 
would apply across an entire enterprise, regardless of violations 
occurring in different business units.
    Response: How violations are counted for purposes of calculating a 
civil money penalty vary depending on the circumstances surrounding the 
noncompliance. Generally speaking, where multiple individuals are 
affected by an impermissible use or disclosure, such as in the case of 
a breach of unsecured protected health information, it is anticipated 
that the number of identical violations of the Privacy Rule standard 
regarding permissible uses and disclosures would be counted by the 
number of individuals affected. Further, with respect to continuing 
violations, such as lack of appropriate safeguards for a period of 
time, it is anticipated that the number of identical violations of the 
safeguard standard would be counted on a per day basis (i.e., the 
number of days the entity did not have appropriate safeguards in place 
to protect the protected health information). Note also that in many 
breach cases, there will be both an impermissible use or disclosure, as 
well as a safeguards violation, for each of which the Department may 
calculate a separate civil money penalty. We refer readers to prior 
Enforcement Rule preambles for additional discussion on the counting 
methodology. See 70 FR 20224, 20233-55 (April 18, 2005) and 71 FR 8390, 
8404-07 (February 16, 2006).
    With respect to whether the aggregate CMP limit of $1.5 million 
would apply to all violations in a given calendar year, across an 
entire enterprise, regardless of violations occurring in different 
business units of the enterprise, we note that the Enforcement Rule's 
penalty scheme, and thus the limit for identical violations in a 
calendar year applies to the legal entity that is a covered entity or 
business associate. However, as we indicated above, a covered entity or 
business associate may be liable for multiple violations of multiple 
requirements, and a violation of each requirement may be counted 
separately. As such, one covered entity or business associate may be 
subject to multiple violations of up to a $1.5 million cap for each 
violation, which would result in a total penalty above $1.5 million.
d. Section 160.408--Factors Considered in Determining the Amount of a 
Civil Money Penalty
Proposed Rule
    Section 160.408 implements section 1176(a)(2) of the Social 
Security Act, which requires the Secretary, when imposing a civil money 
penalty, to apply the provisions of section 1128A of the Social 
Security Act ``in the same manner as such provisions apply to the 
imposition of a civil money penalty under section 1128A.'' In 
determining a penalty amount, section 1128A requires the Secretary to 
take into account the nature of the claims and the circumstances under 
which they were presented; the degree of culpability, history of prior 
offenses and financial condition of the person presenting the claims; 
and such other matters as justice may require.
    Section 160.408 adopted these factors and provided a more specific 
list of circumstances within each. Because the Enforcement Rule applies 
to a number of rules, which apply to an enormous number of entities and 
circumstances, the Secretary has the discretion to decide whether and 
how to consider the factors (i.e., as either aggravating or mitigating) 
in determining the amount of a civil money penalty.
    As previously indicated, section 13410(d) of the HITECH Act 
modified section 1176(a)(1) of the Social Security Act to require that 
the Department base determinations of appropriate penalty amounts on 
the nature and extent of the violation and the nature and extent of the 
harm resulting from such violation. However, the HITECH Act did not 
modify section 1176(a)(2),which continues to require application of the 
factors in section 1128A.
    The proposed rule proposed to revise the structure and list of 
factors at Sec.  160.408 to make explicit the new HITECH Act 
requirement that the Secretary consider the nature and extent of the 
violation and the nature and extent of the harm resulting from the 
violation, in addition to those factors enumerated in section 1128A. We 
proposed to exclude, however, the factor at Sec.  160.408(c) regarding 
the degree of culpability of the covered entity, which originated in 
section 1128A, because culpability is now reflected in the penalty 
tiers.
    Specifically, the Department proposed to revise Sec.  160.408(a) to 
identify ``the nature and extent of the violation,'' ``the nature and 
extent of the harm resulting from the violation,'' and the ``history of 
prior compliance with the administrative simplification provision, 
including violations by the covered entity or business associate,'' the 
``financial condition of the covered entity or business associate,'' 
and ``such other matters as justice may require,'' as the five general 
factors the Secretary will consider in determining a civil money 
penalty. Under each of these categories, we proposed to reorganize and 
list the specific factors that may be considered.
    In addition, in the first, second, and third factors, we proposed 
to add certain circumstances which may be considered in determining a 
penalty amount. Under the first factor, we proposed to add ``the number 
of individuals affected'' as relevant to the extent of a violation. 
Under the second factor, we proposed to add ``reputational harm'' to 
the specific circumstances which may be considered, to make clear that 
reputational harm is as cognizable a form of harm as physical or 
financial harm. Finally, in the third factor, the Department proposed 
to modify the phrase ``prior violations'' to ``indications of 
noncompliance,'' because use of the term ``violation'' is generally 
reserved for instances where the Department has made a formal finding 
of a violation through a notice of proposed determination. However, a 
covered entity's general history of HIPAA compliance is relevant in 
determining the amount of a civil money penalty within the penalty 
range.
    The Department did not propose to modify the Secretary's discretion 
in how to apply the factors--i.e., as either mitigating or aggravating.
Overview of Public Comments
    We received one comment requesting that the Department limit the 
number of mitigating factors it will consider when determining penalty 
amounts and apply

[[Page 5585]]

civil money penalties in every case of noncompliance, including where 
resolution and compliance have been achieved by informal means. The 
commenter also argued that a covered entity's or business associate's 
financial condition or financial difficulties should not be considered 
as mitigating factors in determining the amount of civil money 
penalties. The commenter recommended that penalties should apply to all 
violators except those who despite due diligence could not discover the 
violation, who reported the violation immediately, and who fully 
corrected the problem within 30 days of discovery.
    We received two comments in support of considering reputational 
harm in the computation of civil money penalties. One commenter 
emphasized that reputational harm addresses harm to individuals' 
dignity interest and recommended the inclusion of ``other'' harm as 
well. However, another covered entity expressed concern that damages 
for reputational harm are difficult to quantify and, therefore, claims 
might lead to protracted litigation and expensive settlements, 
ultimately increasing the costs of health care. Finally, we received 
one comment requesting examples of situations involving a cognizable 
claim of reputational harm.
    We also received several comments requesting that the Department 
continue to consider the degree of culpability when determining the 
amount of a civil money penalty. One commenter specifically recommended 
that the Department consider whether unauthorized access has occurred 
when determining civil money penalty amounts. We also received one 
comment suggesting that the Department revise proposed Sec.  160.408(c) 
to recognize as a mitigating factor whether the current violation is 
inconsistent with an entity's prior history of compliance.
    With respect to the evaluation of a covered entity's or business 
associate's history of prior compliance, we received a number of 
comments expressing concern that replacing ``violations'' with 
``indications of noncompliance'' would create ambiguity, and would not 
adequately inform covered entities and business associates of the 
factors that the Department will consider when determining civil money 
penalty amounts. The commenters expressed concern that expanding the 
evaluation of prior compliance beyond documented, formal findings of 
noncompliance would permit the Department to rely on information of 
dubious credibility. Commenters requested that, to prevent uncertainty, 
the Department either retain the term ``violations'' or provide a clear 
definition, including examples, of ``indications of noncompliance.''
    Finally, we received several comments requesting additional 
examples and guidance on how the Department will apply the factors in 
assessing penalty amounts.
Final Rule
    The final rule adopts the proposed modifications. We do not 
eliminate the factors concerning an entity's financial condition, as 
such factors are based on the requirement in section 1128A(d) of the 
Social Security Act. We emphasize that the goal of enforcement is to 
ensure that violations do not recur without impeding access to care. 
Further, we note that an entity's financial condition can affect a 
civil money penalty in either direction, that is, while an entity in 
poor financial condition may face a lesser penalty if its financial 
condition affected its ability to comply, an entity with greater 
financial resources could be subject to higher penalties for 
violations, in part because it had the resources to maintain 
compliance.
    When considering the nature of the violation, the Department 
intends to consider factors such as the time period during which the 
violation(s) occurred and the number of individuals affected. Such 
considerations reflect the nature of the violation, specifically with 
respect to potential violations that affect a large number of 
individuals, for example, where disclosure of protected health 
information in multiple explanation of benefits statements (EOBs) that 
were mailed to the wrong individuals resulted from one inadequate 
safeguard but affected a large number of beneficiaries. However, we do 
recognize that these specific circumstances might also be considered 
under Sec.  160.406, with respect to counting violations. See 71 FR 
8390, 8409.
    Whether reputational harm is implicated in a HIPAA violation will 
be a fact-specific inquiry. We emphasize, however, that we do not 
consider reputational harm to arise solely from the unlawful disclosure 
of protected health information relating to medical diagnoses that may 
be considered especially sensitive, such as sexually transmitted 
infections or mental health disorders. Rather, the facts of the 
situation will determine whether reputational harm has occurred, such 
as whether the unlawful disclosure resulted in adverse effects on 
employment, standing in the community, or personal relationships. With 
respect to requests to consider ``other'' harm or whether unauthorized 
access has occurred, we reiterate that, in determining the nature and 
extent of the harm involved, we may consider all relevant factors, not 
just those expressly included in the text of the regulation.
    Regarding the shift in terminology from ``history of violations'' 
to ``prior indications of noncompliance,'' we note that use of the 
terms ``violation'' or ``violate'' generally indicates that the 
Department has made a formal finding of a violation through a notice of 
proposed determination. Because the Department has a number of 
enforcement tools, such as informal resolution through a corrective 
action plan, the number of ``violations'' incurred by a covered entity 
or business associate does not constitute an accurate picture of a 
covered entity's or business associate's general history of compliance 
with all HIPAA Rules, which is relevant in determining the amount of a 
civil money penalty within the penalty range. See 71 FR 8390, 8408. As 
such, the Department modified the provision to reflect the Department's 
policy of considering the covered entity's or business associate's 
general history of compliance with the HIPAA Rules when determining a 
civil money penalty.
    With regard to the phrase ``indications of noncompliance,'' we 
first clarify that a mere complaint does not constitute an indication 
of noncompliance. Instead, prior indications of noncompliance may refer 
to the number of times the Department has investigated an entity in the 
past and discovered indications of noncompliance that the Department 
resolved by informal means, such as satisfactory corrective action 
voluntarily taken by the covered entity. Finally, we agree that an 
entity's history of compliance--not only a history of noncompliance--is 
important, and will consider such a factor.
e. Section 160.410--Affirmative Defenses
Interim Final Rule and Proposed Rule
    As noted above, the IFR made changes to the affirmatives defenses 
found in the Enforcement Rule at Sec.  160.410 to implement the 
modifications to section 1176(b) of the Social Security Act made by 
section 13410(d) of the HITECH Act. Specifically, the IFR removed the 
previous affirmative defense to the imposition of penalties if the 
covered entity did not know and with the exercise of reasonable 
diligence would not have known of the violation (since such violations 
are now punishable under the lowest tier of penalties), and by 
providing a prohibition on the

[[Page 5586]]

imposition of penalties for any violation that is corrected within a 
30-day time period, as long as the violation was not due to willful 
neglect.
    The proposed rule included additional modifications to Sec.  
160.410 to conform to the changes made to section 1176(b) by the HITECH 
Act. Specifically, we proposed to implement the revision of section 
1176(b)(1) of the Social Security Act by providing in Sec.  
160.410(a)(1) and (2) that the affirmative defense of criminally 
``punishable'' is applicable to penalties imposed prior to February 18, 
2011, and on or after February 18, 2011, the Secretary's authority to 
impose a civil money penalty will only be barred to the extent a 
covered entity or business associate can demonstrate that a criminal 
penalty has been imposed. Additionally, the Department also proposed 
modifications to the affirmative defenses in Sec.  160.410 for 
violations occurring prior to February 18, 2009, to ensure the prior 
definition of ``reasonable cause'' continued to apply in such 
circumstances and avoiding any potential issues regarding a retroactive 
application of the revised term.
Final Rule
    The final rule adopts the proposed modifications to Sec.  160.410. 
The Department did not receive any comments in response to the NPRM's 
proposed revisions to this section.
f. Section 160.412--Waiver
    Prior to February 18, 2009, Sec.  160.412 stated that ``[f]or 
violations described in Sec.  160.410(b)(3)(i) that are not corrected 
within the period described in Sec.  160.410(b)(3)(ii), the Secretary 
may waive the civil money penalty, in whole or in part, to the extent 
that payment of the penalty would be excessive relative to the 
violation.'' This language implicitly recognized a covered entity's 
ability to claim an affirmative defense to the imposition of a civil 
money penalty, under what was then Sec.  160.410(b)(2), by establishing 
that it did not have knowledge of the violation, determined in 
accordance with the Federal common law of agency, and by exercising 
reasonable diligence, would not have known that the violation occurred. 
While section 13410(d) of the HITECH Act revised section 1176(b) of the 
Social Security Act to eliminate the affirmative defense for such 
violations, absent corrective action during a 30-day period, it did not 
revise the Secretary's waiver authority. As a result, the Enforcement 
IFR amended Sec.  160.412 to reflect the revisions made to Sec.  
160.410 to provide that ``[r]egardless of whether violations occur 
before, on, or after February 18, 2009, the Secretary had the authority 
to provide a waiver for violations due to reasonable cause and not 
willful neglect that are not timely corrected (pursuant to the 
correction period in revised Sec.  160.410(a)(3)(ii) or (b)(2)(ii), as 
applicable).'' See 74 FR 56129.
    The proposed rule included conforming changes to Sec.  160.412 to 
align the provision with the revisions to Sec.  160.410. See 75 FR 
40881. The proposed revision would effectively provide the Secretary 
with the authority to waive a civil money penalty, in whole or in part, 
for violations described in Sec.  160.410(b)(2) (occurring prior to 
February 18, 2009, and due to circumstances that would make it 
unreasonable for the covered entity, despite the exercise of ordinary 
business care and prudence, to comply with the administrative 
simplification provision violated) or Sec.  160.410(c) (occurring on or 
after February 18, 2009, and involving an establishment to the 
satisfaction of the Secretary that the violation is not due to willful 
neglect) and that are not corrected within the period specified under 
such paragraphs.
Overview of Public Comments
    The Department received a few comments in response to the IFR 
regarding the Secretary's authority to waive the imposition of a civil 
money penalty for violations occurring on or after February 18, 2009, 
each of which urged that the Secretary's waiver authority be extended 
to apply also to penalties for violations of which a covered entity did 
not know, or through the exercise of reasonable diligence, would not 
have known, in addition to reasonable cause violations, because ``did 
not know'' violations are a less culpable category of violation than 
reasonable cause violations.
Final Rule
    The final rule adopts the modifications to Sec.  160.412 proposed 
in the NPRM, which addresses the concerns of the above commenters on 
the IFR.
g. Section 160.418--Penalty Not Exclusive
Proposed Rule
    We proposed to revise this section to incorporate a reference to 
the provision of PSQIA at 42 U.S.C. 299b-22 that provides that 
penalties are not to be imposed under both PSQIA and the HIPAA Privacy 
Rule for the same violation.
Final Rule
    The Department did not receive substantive public comment on this 
proposal. The final rule adopts the proposed modification to Sec.  
160.418.
h. Section 160.420--Notice of Proposed Determination
Interim Final Rule
    The Enforcement IFR also amended Sec.  160.420(a)(4) to add the 
requirement that, in addition to the proposed penalty amount, the 
Secretary identify in a notice of proposed determination the applicable 
violation category in Sec.  160.404 upon which the proposed penalty 
amount is based. While not statutorily required, the Enforcement IFR 
included this amendment to provide covered entities and business 
associates with additional information that would increase their 
understanding of the violation findings in the notice of proposed 
determination.
Overview of Public Comment
    The Department received three comments supporting this amendment.
Final Rule
    The final rule retains the provision as modified in the IFR.
i. Calculation of the 30-Day Cure Period for Willful Neglect Violations
Interim Final Rule
    In its discussion of the HITECH Act's revision of affirmative 
defenses, the Department noted that section 1176(b)(2)(A) of the Social 
Security Act still operates to exclude violations due to willful 
neglect from those that, if timely corrected, would be exempt from the 
Secretary's imposition of a civil money penalty. However, a covered 
entity's timely action to correct still would be determinative with 
respect to which of the two tiers of willful neglect penalty amounts 
would apply. To determine the appropriate penalty tier for such 
violations, the Department stated it would calculate the 30-day cure 
period in the same manner as described for determining whether an 
affirmative defense applied. That is, the Department would look at when 
a covered entity first had actual or constructive knowledge of a 
violation due to willful neglect, based on evidence gathered during its 
investigation, on a case-by-case basis. See 74 FR 56128 (October 30, 
2009), 70 FR 20224, 20237-8 (April 18, 2005) and 71 FR 8390, 8410 
(February 16, 2006) for prior, more detailed discussions about the 
Department's determination of when knowledge exists.

[[Page 5587]]

    Because the Department recognized that the minimum penalty amount 
under the HITECH Act of a violation due to willful neglect that is 
corrected during the 30-day cure period is significantly less than that 
for a violation due to willful neglect that is not timely corrected 
(equating to a $40,000 minimum penalty amount difference), the IFR 
specifically requested comment on whether there are alternative 
approaches to calculating the beginning of the 30-day cure period for 
this purpose.
Overview of Public Comments
    While a few commenters expressed support for utilizing the current 
scheme in determining which tier should apply to a violation due to 
willful neglect, other commenters expressed concerns with this approach 
due to the uncertainty with determining exactly when the cure period 
begins and that a business associate's knowledge of a violation could 
be imputed to the covered entity prior to the business associate 
notifying the covered entity, as well as concerns if the Secretary does 
not notify an entity of a potential violation in a timely manner. A few 
commenters suggested that the 30-day cure period begin once the 
Department notifies the covered entity of a complaint.
Final Rule
    The final rule retains the policy that the 30-day cure period for 
violations due to willful neglect, like those not due to willful 
neglect, begins on the date that an entity first acquires actual or 
constructive knowledge of the violation and will be determined based on 
evidence gathered by the Department during its investigation, on a 
case-by-case basis.
    First, the requirement that an entity have knowledge that a 
``violation'' has occurred, and not only of the facts underlying the 
violation, is a higher standard than that which is often required by 
other law. Also, as a practical matter, the date an entity has actual 
or constructive knowledge of a violation will vary depending on the 
circumstances involved, and may be the result of notice by a workforce 
member or business associate, a complaint received by a health care 
consumer, or notification by the Department that a complaint has been 
filed. However, other sources of information exist that could establish 
knowledge, including internal indications of a potential noncompliance 
such as unusual access or audit log activity.
    While we understand commenters' concerns relating to the 
uncertainty inherent to constructive knowledge, we believe that it 
provides an appropriate incentive that is consistent with the 
strengthened enforcement of the HIPAA Rules, as provided in the HITECH 
Act. Reliance on notification by a complainant or the Department would 
not encourage self-correction or an entity's establishment of a 
compliance program that proactively prevents, detects and corrects 
indications of noncompliance. If the cure period were solely based on 
external notification, it is quite possible that entities would have 
little or no incentive to make corrections of noncompliance until long 
after an incident occurred, if ever. In response to concerns that 
constructive knowledge may be imputed to the principal when an agent 
fails to notify the responsible entity, we note that an agent must be 
acting within the scope of agency for a covered entity or a business 
associate to be liable for the agent's acts or failures to act. An 
agent that fails to notify a covered entity or business associate may 
be acting outside its scope of authority as an agent. In such a 
circumstance, the agent's knowledge is not imputed to the principal 
under the Federal Common Law of Agency.
    Finally, an entity will have the opportunity to submit evidence 
establishing its knowledge or lack of knowledge, during the 
Department's investigation. Entities will also have a right to request 
a hearing to appeal a finding about knowledge in a notice of proposed 
determination to the extent they believe the finding is not based on a 
preponderance of the evidence. An administrative law judge would then 
review the finding and affirm or modify it.
Response to Other Public Comments
    Comment: A few commenters suggested that 30 days may not be 
sufficient for a covered entity to complete corrective action, 
particularly with respect to large organizations with complex systems, 
structures and relationships. One commenter suggested there should be a 
process available to allow an organization to apply for a reasonable 
extension to complete the cure.
    Response: In response to commenters' concern about the length of 
the 30-day cure period, we note that this time period is defined by 
statute at section 1176(b) of the Social Security Act, and was not 
modified by section 13410(d) of the HITECH Act. Thus, we believe there 
is no authority upon which to base a modification to the length of the 
cure period.
    Comment: One commenter requested that the Department clarify 
whether the new enforcement provisions will apply to violations of all 
HIPAA Administrative Simplification provisions or just to the privacy 
and security requirements.
    Response: The enforcement regulations at 45 CFR Part 160, Subparts 
C, D, and E, relate to compliance with, and the enforcement of, all of 
the Administrative Simplification regulations adopted under subtitle F 
of Title II of HIPAA, including the Standards for Electronic 
Transactions and Code Sets (Transactions and Code Sets Rule(s) 
(referred to in both a singular and plural sense); Standards for 
Privacy of Individually Identifiable Health Information (HIPAA Privacy 
Rule); Standard Unique Employer Identifier (EIN Rule); Security 
Standards (HIPAA Security Rule); and Standard Unique Health Identifier 
for Health Care Providers (NPI Rule). In addition, the Enforcement Rule 
applies to the Breach Notification Rule for HIPAA covered entities and 
business associates.

C. Subparts A and C of Part 164: General Provisions and Modifications 
to the Security Rule

    We proposed implementing modifications to the Security Rule as a 
result of the HITECH Act and to make certain other changes. Below we 
respond to comments received on the proposed changes as well as 
describe the final rule provisions. We also discuss the final technical 
and conforming changes to the general provisions in Subpart A of Part 
164, which applies to the Security, Privacy, and Breach Notification 
Rules, and respond to comments where substantive comments were received 
on these changes.
1. Technical Changes to Subpart A--General Provisions
a. Section 164.102--Statutory Basis
    This section sets out the statutory basis of Part 164. We proposed 
and include in this final rule a technical change to include a 
reference to the provisions of sections 13400 through 13424 of the 
HITECH Act upon which the regulatory changes discussed below are based.
b. Section 164.104--Applicability
    This section sets out to whom Part 164 applies. We proposed to 
replace the existing paragraph (b) with an applicability statement for 
business associates, consistent with the provisions of the HITECH Act. 
Paragraph (b) makes clear that, where provided, the standards, 
requirements, and implementation specifications of the HIPAA Privacy, 
Security, and

[[Page 5588]]

Breach Notification Rules apply to business associates. We also 
proposed to remove as unnecessary the existing language in Sec.  
164.104(b) regarding the obligation of a health care clearinghouse to 
comply with Sec.  164.105 relating to organizational requirements of 
covered entities. This final rule adopts these changes as proposed.
c. Section 164.105--Organizational Requirements
    Section 164.105 outlines the organizational requirements and 
implementation specifications for health care components of covered 
entities and for affiliated covered entities. As Sec.  164.105 now also 
applies to Subpart D of Part 164 regarding breach notification for 
unsecured protected health information, we proposed to remove several 
specific references to Subparts C and E throughout this section to make 
clear that the provisions of this section also apply to Subpart D of 
Part 164. The final rule adopts these modifications.
    In addition, we proposed the following modifications to this 
section.
i. Section 164.105(a)(2)(ii)(C)-(E)
Proposed Rule
    As a covered entity's obligation to ensure that a health care 
component complies with the Privacy and Security Rules is already set 
out at Sec.  164.105(a)(2)(ii), we proposed to modify this section to 
remove as unnecessary paragraphs (C) and (D), which pertain to the 
obligation of a covered entity to ensure that any component that 
performs business associate-like activities and is included in the 
health care component complies with the requirements of the Privacy and 
Security Rules, and to re-designate paragraph (E) as (C). Additionally, 
we requested comment on whether we should require, rather than permit 
as was the case at Sec.  164.105(a)(2)(iii)(C), a covered entity that 
is a hybrid entity to include a component that performs business 
associate-like activities within its health care component so that such 
components are directly subject to the Rules.
Overview of Public Comments
    Several commenters recommended that hybrid entities should retain 
the flexibility to either include or exclude business associates from 
the healthcare component. Two of these commenters stated this option 
would allow the covered entity to distinguish the functions and 
responsibilities of the business associate as separate from the health 
care component, which would result in better compliance, as covered 
entities would evaluate each business associate separately for 
compliance purposes. Further, commenters argued that, as the covered 
entity is ultimately legally liable for compliance on the part of the 
organization, such a modification is not necessary.
    Additionally, several commenters stated that requiring a hybrid 
entity to include business associate departments is excessive and 
burdensome. Some of these commenters further stated that business 
associate departments of a hybrid entity will likely commit limited 
time, personnel, and staff hours to Privacy and Security Rule 
compliance and suggested that the hybrid entity should implement 
applicable entity-wide policies and procedures and separately ensure 
that business associate departments implement specific practices scaled 
to the business associate's use or disclosure of protected health 
information.
    In contrast, several commenters supported the proposed change. 
Several of these commenters suggested that the modification would 
better facilitate compliance, because requiring the covered entity to 
include the business associate department in the health care component 
would better protect the protected health information held by the 
business associate and would ensure consistent standards within the 
health care component of the covered entity.
Final Rule
    Many covered entities perform both covered and non-covered 
functions as part of their business operations. For such covered 
entities, the entire entity is generally required to comply with the 
Privacy Rule. However, the hybrid entity provisions of the HIPAA Rules 
permit the entity to limit the application of the Rules to the entity's 
components that perform functions that would make the component a 
``covered entity'' if the component were a separate legal entity. 
Specifically, this provision allows an entity to designate a health 
care component by documenting the components of its organization that 
perform covered entity functions. The effect of such a designation is 
that most of the requirements of the HIPAA Rules apply only to the 
designated health care component of the entity and not to the functions 
the entity performs that are not included in the health care component. 
While most of the HIPAA Rules' requirements apply only to the health 
care component, the hybrid entity retains certain oversight, 
compliance, and enforcement obligations.
    We explained in the preamble to the 2002 modifications to the 
Privacy Rule that the Rule provides hybrid entities with discretion as 
to whether or not to include business associate divisions within the 
health care component. However, a disclosure of protected health 
information from the health care component to any other division that 
is not part of the health care component, including a business 
associate division, is treated the same as a disclosure outside the 
covered entity. As a result, because an entity generally cannot have a 
business associate agreement with itself, a disclosure from the health 
care component to the business associate division(s) of the entity 
likely would require individual authorization. See 67 FR 53182, 53205 
(Aug. 14, 2002).
    Importantly, after this final rule, business associates, by 
definition, are separately and directly liable for violations of the 
Security Rule and for violations of the Privacy Rule for impermissible 
uses and disclosures pursuant to their business associate contracts. 
With respect to a hybrid entity, however, not including business 
associate functions within the health care component of a hybrid entity 
could avoid direct liability and compliance obligations for the 
business associate component. Thus, we agree with the commenters that 
supported requiring inclusion of business associate functions inside 
the health care component of a hybrid entity. As such, the final rule 
requires that the health care component of a hybrid entity include all 
business associate functions within the entity.
Response to Other Public Comments
    Comment: One commenter requested that the Department revise the 
definitions of ``hybrid entity'' to permit business associates to 
designate a health care component.
    Response: A business associate performs one or more functions on 
behalf of a covered entity (or, in this final rule, another business 
associate). As a business associate is only subject to the HIPAA Rules 
with respect to the protected health information it maintains, uses, or 
discloses on behalf of a covered entity (or business associate) and not 
to other information it may maintain, including health information, 
there is no need for a business associate to designate one or more 
health care components.
    Comment: One commenter asked whether an employer that operates an 
on-site clinic for the treatment of employees functions as a hybrid 
entity.
    Response: An entity that maintains an on-site clinic to provide 
health care to one or more employees may be a HIPAA covered provider to 
the extent the clinic performs one or more covered

[[Page 5589]]

transactions electronically, such as billing a health plan for the 
services provided. If covered, the entity need not become a hybrid 
entity so as to avoid applying the Privacy Rule to health information 
the entity holds in its role as employer, such as sick leave requests 
of its employees. Such information is already excluded from the 
definition of ``protected health information'' as employment records 
and thus, the Privacy Rule does not apply to this information. However, 
the identifiable health information the entity holds as a covered 
health care provider (e.g., the information the clinic holds about 
employees who have received treatment) is protected health information 
and generally may not be shared with the employer for employment 
purposes without the individual's authorization.
ii. Section 164.105(a)(2)(iii)(C)
    We proposed to modify this section to re-designate Sec.  
164.105(a)(2)(iii)(C) as (D), and to include a new paragraph (C), which 
makes clear that, with respect to a hybrid entity, the covered entity 
itself, and not merely the health care component, remains responsible 
for complying with Sec. Sec.  164.314 and 164.504 regarding business 
associate arrangements and other organizational requirements. Hybrid 
entities may need to execute legal contracts and conduct other 
organizational matters at the level of the legal entity rather than at 
the level of the health care component. The final rule adopts this 
change.
iii. Section 164.105(b)(1)
    The final rule fixes a minor typographical error in this paragraph 
by redesignating the second paragraph (1) as paragraph (2).
iv. Section 164.105(b)(2)(ii)
    The final rule simplifies this paragraph by collapsing 
subparagraphs (A), (B), and (C) regarding the obligations of an 
affiliated entity to comply with the Privacy and Security Rules into 
one provision.
d. Section 164.106--Relationship to Other Parts
    The final rule adds a reference in this provision to business 
associates, consistent with their inclusion elsewhere throughout the 
other HIPAA Rules.
2. Modifications to the HIPAA Security Rule in Subpart C
a. Business Associates
Proposed Rule
    Before the HITECH Act, the Security Rule did not directly apply to 
business associates of covered entities. However, section 13401 of the 
HITECH Act provides that the Security Rule's administrative, physical, 
and technical safeguards requirements in Sec. Sec.  164.308, 164.310, 
and 164.312, as well as the Rule's policies and procedures and 
documentation requirements in Sec.  164.316, apply to business 
associates in the same manner as these requirements apply to covered 
entities, and that business associates are civilly and criminally 
liable for violations of these provisions.
    To implement section 13401 of the HITECH Act, we proposed to insert 
references in Subpart C to ``business associate'' following references 
to ``covered entity,'' as appropriate, to make clear that these 
provisions of the Security Rule also apply to business associates. In 
addition, we proposed additional changes to Sec. Sec.  164.306, 
164.308, 164.312, 164.314, and 164.316 of the Security Rule, as 
discussed below.
Overview of Public Comments
    Some commenters argued that the time, implementation expense, 
transaction cost, and liability cost burdens on business associates and 
subcontractors to comply with the Security Rule, especially small and 
mid-size entities, would be significant. Other commenters supported the 
direct application of the Security Rule to business associates and 
subcontractors.
Final Rule
    We adopt the modifications to the Security Rule as proposed to 
implement the HITECH Act's provisions extending direct liability for 
compliance with the Security Rule to business associates. In response 
to the concerns raised regarding the costs of compliance, we note that 
the Security Rule currently requires a covered entity to establish a 
business associate agreement that requires business associates to 
implement administrative, physical, and technical safeguards that 
reasonably and appropriately protect the confidentiality, integrity, 
and availability of the electronic protected health information that 
they create, receive, maintain, or transmit on behalf of the covered 
entity as required by the Security Rule; and to ensure that any agent, 
including a subcontractor, to whom they provide such information agrees 
to implement reasonable and appropriate safeguards to protect it. See 
Sec.  164.314(a). Consequently, business associates and subcontractors 
should already have in place security practices that either comply with 
the Security Rule, or that require only modest improvements to come 
into compliance with the Security Rule requirements.
    Moreover, the requirements of the Security Rule were designed to be 
technology neutral and scalable to all different sizes of covered 
entities and business associates. Covered entities and business 
associates have the flexibility to choose security measures appropriate 
for their size, resources, and the nature of the security risks they 
face, enabling them to reasonably implement any given Security Rule 
standard. In deciding which security measures to use, a covered entity 
or business associate should take into account its size, capabilities, 
the costs of the specific security measures, and the operational 
impact. Thus, the costs of implementing the Security Rule for large, 
mid-sized, or small business associates will be proportional to their 
size and resources.
    Notwithstanding the above, based on the comments, we acknowledge 
that some business associates, particularly the smaller or less 
sophisticated business associates that may have access to electronic 
protected health information for limited purposes, may not have engaged 
in the formal administrative safeguards such as having performed a risk 
analysis, established a risk management program, or designated a 
security official, and may not have written policies and procedures, 
conducted employee training, or documented compliance as the statute 
and these regulations would now require. For these business associates, 
we include an estimate for compliance costs below in the regulatory 
impact analysis. We also refer these business associates to our 
educational papers and other guidance on compliance with the HIPAA 
Security Rule found at: https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule. These materials provide guidance on 
conducting risk analyses and implementing the other administrative 
safeguards required by the Security Rule, which may prove helpful to 
these business associates and facilitate their compliance efforts.
b. Section 164.306--Security Standards: General Rules
Proposed Rule
    Section 164.306 sets out the general rules that apply to all of the 
security

[[Page 5590]]

standards and implementation specifications that follow in the Security 
Rule. We proposed technical revisions to Sec.  164.306(e) to more 
clearly indicate that covered entities and business associates must 
review and modify security measures as needed to ensure the continued 
provision of reasonable and appropriate protection of electronic 
protected health information, and update documentation of such security 
measures accordingly.
Final Rule
    The Department did not receive substantive public comment on this 
proposal. The final rule adopts the modifications to Sec.  164.306 as 
proposed.
c. Section 164.308--Administrative Safeguards
Proposed Rule
    We proposed a technical change to Sec.  164.308(a)(3)(ii)(C) 
regarding security termination procedures for workforce members, to add 
the words ``or other arrangement with'' after ``employment of'' in 
recognition of the fact that not all workforce members are employees 
(e.g., some may be volunteers) of a covered entity or business 
associate. We also proposed a number of modifications to Sec.  
164.308(b) to conform to modifications proposed in the definition of 
``business associate.'' Section 164.308(b) provides that a covered 
entity may permit a business associate to create, receive, maintain, or 
transmit electronic protected health information only if the covered 
entity has a contract or other arrangement in place to ensure the 
business associate will appropriately safeguard the protected health 
information. Section164.308(b)(2) contains several exceptions to this 
general rule for certain situations that do not give rise to a business 
associate relationship, such as where a covered entity discloses 
electronic protected health information to a health care provider 
concerning the treatment of an individual. We proposed to remove these 
exceptions from this provision, since as discussed above, they would 
now be established as exceptions to the definition of ``business 
associate.''
    In addition, we proposed to modify Sec.  164.308(b)(1) and (2) to 
clarify that covered entities are not required to obtain satisfactory 
assurances in the form of a contract or other arrangement with a 
business associate that is a subcontractor; rather, it is the business 
associate that must obtain the required satisfactory assurances from 
the subcontractor to protect the security of electronic protected 
health information.
    Finally, we proposed to remove the provision at Sec.  
164.308(b)(3), which provides that a covered entity that violates the 
satisfactory assurances it provided as a business associate of another 
covered entity will be in noncompliance with the Security Rule's 
business associate provisions, as a covered entity's actions as a 
business associate of another covered entity would now be directly 
regulated by the Security Rule's provisions that apply to business 
associates.
Overview of Public Comments
    One commenter asked for confirmation that the changes to Sec.  
164.308 would require a covered entity to enter into a business 
associate agreement with its own business associate and not any 
subcontractors of those business associates.
Final Rule
    The final rule adopts the proposed modifications to Sec.  164.308. 
Section 164.308(b) expressly provides that a covered entity is not 
required to enter into a business associate agreement with a business 
associate that is a subcontractor; rather, this is the obligation of 
the business associate that has engaged the subcontractor to perform a 
function or service that involves the use or disclosure of protected 
health information.
d. Section 164.314--Organizational Requirements
Proposed Rule
    While Section 13401 of the HITECH Act does not expressly include 
Sec.  164.314 among the provisions for which business associates are 
directly liable, it states that Sec.  164.308 of the Security Rule 
applies to business associates ``in the same manner'' that the 
provision applies to covered entities. Section 164.308(b) requires a 
covered entity's business associate agreements to conform to the 
requirements of Sec.  164.314. Accordingly, in order for Sec.  
164.308(b) to apply to business associates in the same manner as it 
applies to covered entities, we proposed to revise Sec.  164.314 to 
reflect that it is also applicable to agreements between business 
associates and subcontractors that create, receive, maintain, or 
transmit electronic protected health information.
    We also proposed a number of modifications to streamline the 
requirements of Sec.  164.314. First, since a business associate for 
purposes of the Security Rule is also always a business associate for 
purposes of the Privacy Rule, we proposed to remove contract provisions 
that were merely duplicative of parallel provisions in the Privacy 
Rule's business associate contract provisions at Sec.  164.504. We also 
proposed to remove the specific requirements under Sec.  
164.314(a)(2)(ii) for other arrangements, such as a memorandum of 
understanding when both a covered entity and business associate are 
governmental entities, and instead simply refer to the parallel Privacy 
Rule requirements at Sec.  164.504(e)(3).
    Second, we proposed conforming modifications to the remaining 
contract requirements in Sec.  164.314(a)(2)(i) to provide that such 
contracts must require a business associate to comply with the Security 
Rule, to ensure any subcontractors enter into a contract or other 
arrangement to protect the security of electronic protected health 
information; and with respect to the reporting of security incidents by 
business associates to covered entities, to report to the covered 
entity breaches of unsecured protected health information as required 
by Sec.  164.410 of the breach notification rules.
    Third, we proposed to add a provision at Sec.  164.314(a)(2)(iii) 
that provides that the requirements of this section for contracts or 
other arrangements between a covered entity and business associate 
would apply in the same manner to contracts or other arrangements 
between business associates and subcontractors required by the proposed 
requirements of Sec.  164.308(b)(4). For example, under these 
provisions, a business associate contract between a business associate 
and a business associate subcontractor would need to provide that the 
subcontractor report any security incident of which it becomes aware, 
including breaches of unsecured protected health information as 
required by Sec.  164.410, to the business associate. This would mean 
that if a breach of unsecured protected health information occurs at or 
by a second tier subcontractor, the subcontractor must notify the 
business associate subcontractor with which it contracts of the breach, 
which then must notify the business associate which contracts with the 
covered entity of the breach, which then must notify the covered entity 
of the breach. The covered entity then notifies the affected 
individuals, the Secretary, and, if applicable, the media, of the 
breach, unless it has delegated such responsibilities to a business 
associate. Finally, we proposed to remove the reference to 
subcontractors in Sec.  164.314(b)(2)(iii) regarding amendment of group 
health plan documents as a condition of disclosure of protected health 
information to a plan sponsor, as unnecessary and to avoid

[[Page 5591]]

confusion with the use of the term subcontractor when referring to 
subcontractors that are business associates.
Final Rule
    The Department did not receive substantive public comment on these 
proposed changes. The final rule adopts the modifications as proposed.
Response to Other Public Comments
    Comment: One commenter suggested that business associate agreements 
should be an ``addressable'' requirement under the Security Rule.
    Response: The HITECH Act does not remove the requirements for 
business associate agreements under the HIPAA Rules. Therefore, we 
decline to make the execution of business associate agreements an 
``addressable'' requirement under the Security Rule.
    Comment: One commenter recommended that the Department remove the 
``addressable'' designation from the Security Rule, because such 
designations lead to ambiguity in the application of the Security Rule 
in the health care industry.
    Response: We decline to adopt this recommendation. The Security 
Rule is structured to be both scalable and flexible, so that entities 
of different types and sizes can implement the standards and 
implementation specifications in a manner that is reasonable and 
appropriate for their circumstances. We do not mandate the use of 
specific technologies, or require uniform policies and procedures for 
compliance, because we recognize the diversity of regulated entities 
and appreciate the unique characteristics of their environments.
    Comment: Two commenters suggested providing subcontractors with 
additional time to comply with the provisions of the Security Rule.
    Response: We decline to delay application of the requirements under 
the Security Rule to subcontractors beyond the compliance dates 
provided by this final rule. As we emphasized above, the Security Rule 
already requires covered entities to establish business associate 
agreements that require business associates to ensure that their 
subcontractors implement reasonable and appropriate safeguards to 
protect the security of electronic protected health information they 
handle.
    Comment: A few commenters proposed alternative ways to apply 
security requirements to subcontractors, such as exempting 
subcontractors from compliance with the Security Rule if they have 
already completed security assessments and met the security 
requirements under other State and Federal laws or only requiring 
subcontractors to comply with the minimum necessary standard and to 
utilize ``reasonable'' security measures with regard to protected 
health information.
    Response: We decline to adopt an exemption or otherwise limit 
subcontractors' responsibility to safeguard individuals' electronic 
protected health information. To ensure appropriate and strong security 
protections for electronic protected health information, subcontractors 
are required to comply with the Security Rule to the same extent as 
business associates with a direct relationship with a covered entity.

D. Subpart E of Part 164: Modifications to the Privacy Rule

    The NPRM proposed a number of changes to the Privacy Rule to 
implement certain provisions of the HITECH Act, as well as certain 
modifications to improve the workability and effectiveness of the Rule 
and to conform the Privacy Rule to PSQIA. The section-by-section 
description below of the final rule discusses the proposed and final 
changes and responds to public comments
1. Section 164.500--Applicability
    Section 13404 of the HITECH Act makes specific requirements of the 
Privacy Rule applicable to business associates and creates direct 
liability for noncompliance by business associates with regard to those 
requirements.
Proposed Rule
    In accordance with section 13404 of the HITECH Act, we proposed 
language in Sec.  164.500 to clarify that, where provided, the 
standards, requirements, and implementation specifications of the 
Privacy Rule apply to business associates.
Overview of Public Comments
    One commenter suggested that the Department expand the 
applicability of the Privacy Rule to all entities that handle 
individually identifiable health information. Some commenters requested 
clarification as to which provisions of the Privacy Rule apply directly 
to business associates, and one commenter recommended applying all of 
the provisions of the Privacy Rule to business associates, including 
requiring business associates to implement reasonable safeguards, train 
employees, and designate a privacy official.
Final Rule
    The final rule implements the proposed revisions to Sec.  164.500. 
While we understand commenters' concerns regarding the uses and 
disclosures of health information by entities not covered by the 
Privacy Rule, the Department is limited to applying the HIPAA Rules to 
those entities covered by HIPAA (i.e., health plans, health care 
clearinghouses, and health care providers that conduct covered 
transactions) and to business associates, as provided under the HITECH 
Act.
    As we discuss further below, section 13404 of the HITECH Act 
creates direct liability for impermissible uses and disclosures of 
protected health information by a business associate of a covered 
entity ``that obtains or creates'' protected health information 
``pursuant to a written contract or other arrangement described in 
Sec.  164.502(e)(2)'' and for compliance with the other privacy 
provisions in the HITECH Act. Section 13404 does not create direct 
liability for business associates with regard to compliance with all 
requirements under the Privacy Rule (i.e., does not treat them as 
covered entities). Therefore, under the final rule, a business 
associate is directly liable under the Privacy Rule for uses and 
disclosures of protected health information that are not in accord with 
its business associate agreement or the Privacy Rule. In addition, a 
business associate is directly liable for failing to disclose protected 
health information when required by the Secretary to do so for the 
Secretary to investigate and determine the business associate's 
compliance with the HIPAA Rules, and for failing to disclose protected 
health information to the covered entity, individual, or individual's 
designee, as necessary to satisfy a covered entity's obligations with 
respect to an individual's request for an electronic copy of protected 
health information. See Sec.  164.502(a)(3) and (a)(4). Further, a 
business associate is directly liable for failing to make reasonable 
efforts to limit protected health information to the minimum necessary 
to accomplish the intended purpose of the use, disclosure, or request. 
See Sec.  164.502(b). Finally, business associates are directly liable 
for failing to enter into business associate agreements with 
subcontractors that create or receive protected health information on 
their behalf. See Sec.  164.502(e)(1)(ii). As was the case under the 
Privacy Rule before the HITECH Act, business associates remain 
contractually liable for all other Privacy Rule obligations that are 
included in

[[Page 5592]]

their contracts or other arrangements with covered entities.
2. Section 164.501--Definitions
a. Definition of ``Health Care Operations''
Proposed Rule
    PSQIA provides, among other things, that Patient Safety 
Organizations (PSOs) are to be treated as business associates of 
covered health care providers. Further, PSQIA provides that the patient 
safety activities of PSOs are deemed to be health care operations of 
covered health care providers under the Privacy Rule. See 42 U.S.C. 
299b-22(i). To conform to these statutory provisions, we proposed to 
amend paragraph (1) of the definition of ``health care operations'' to 
include an express reference to patient safety activities, as defined 
in the PSQIA implementing regulation at 42 CFR 3.20. Many health care 
providers participating in the voluntary patient safety program 
authorized by PSQIA are HIPAA covered entities. PSQIA acknowledges that 
such providers must also comply with the Privacy Rule and deems patient 
safety activities to be health care operations under the Privacy Rule. 
While such types of activities are already encompassed within paragraph 
(1) of the definition, which addresses various quality activities, we 
proposed to expressly include patient safety activities within 
paragraph (1) of the definition of health care operations to conform 
the definition to PSQIA and to eliminate the potential for confusion. 
This modification also addresses public comments the Department 
received during the rulemaking period for the PSQIA implementing 
regulations, which urged the Department to modify the definition of 
``health care operations'' in the Privacy Rule to expressly reference 
patient safety activities so that the intersection of the Privacy and 
PSQIA Rules would be clear. See 73 FR 70732, 70780 (Nov. 21, 2008).
Overview of Public Comments
    The Department received comments supporting the inclusion of 
patient safety activities in the definition of ``health care 
operations.''
Final Rule
    The final rule adopts the proposed modification.
b. Definition of ``Marketing''
Proposed Rule
    The Privacy Rule requires covered entities to obtain a valid 
authorization from individuals before using or disclosing protected 
health information to market a product or service to them. See Sec.  
164.508(a)(3). Section 164.501 defines ``marketing'' as making a 
communication about a product or service that encourages recipients of 
the communication to purchase or use the product or service. Paragraph 
(1) of the definition includes a number of exceptions to marketing for 
certain health-related communications: (1) Communications made to 
describe a health-related product or service (or payment for such 
product or service) that is provided by, or included in a plan of 
benefits of, the covered entity making the communications, including 
communications about: The entities participating in a healthcare 
provider network or health plan network; replacement of, or 
enhancements to, a health plan; and health-related products or services 
available only to a health plan enrollee that add value to, but are not 
part of, a plan of benefits; (2) communications made for the treatment 
of the individual; and (3) communications for case management or care 
coordination for the individual, or to direct or recommend alternative 
treatments, therapies, health care providers, or settings of care to 
the individual. A covered entity is permitted to make these excepted 
communications without an individual's authorization as either 
treatment or health care operations communications, as appropriate, 
under the Privacy Rule. In addition, the Privacy Rule does not require 
a covered entity to obtain individual authorization for face-to-face 
communications or to provide only promotional gifts of nominal value to 
the individual. See Sec.  164.508(a)(3)(i). However, a covered entity 
must obtain prior written authorization from an individual to send 
communications to the individual about non-health related products or 
services or to give or sell the individual's protected health 
information to a third party for marketing. Still, concerns have 
remained about the ability under these provisions for a third party to 
pay a covered entity to send health-related communications to an 
individual about the third party's products or services.
    Section 13406(a) of the HITECH Act limits the health-related 
communications that may be considered health care operations and thus, 
that are excepted from the definition of ``marketing'' under the 
Privacy Rule, to the extent a covered entity receives or has received 
direct or indirect payment in exchange for making the communication. In 
cases where the covered entity would receive such payment, the HITECH 
Act at section 13406(a)(2)(B) and (C) requires that the covered entity 
obtain the individual's valid authorization prior to making the 
communication, or, if applicable, prior to its business associate 
making the communication on its behalf in accordance with its written 
contract. Section 13406(a)(2)(A) of the HITECH Act includes an 
exception to the payment limitation for communications that describe 
only a drug or biologic that is currently being prescribed to the 
individual as long as any payment received by the covered entity in 
exchange for making the communication is reasonable in amount. Section 
13406(a)(3) of the Act provides that the term ``reasonable in amount'' 
shall have the meaning given to such term by the Secretary in 
regulation. Finally, section 13406(a)(4) of the Act clarifies that the 
term ``direct or indirect payment'' does not include any payment for 
treatment of the individual. We believe Congress intended that these 
provisions curtail a covered entity's ability to use the exceptions to 
the definition of ``marketing'' in the Privacy Rule to send 
communications to the individual that are motivated more by commercial 
gain or other commercial purpose rather than for the purpose of the 
individual's health care, despite the communication being about a 
health-related product or service.
    To implement the marketing limitations of the HITECH Act, we 
proposed a number of modifications to the definition of ``marketing'' 
at Sec.  164.501. In paragraph (1) of the definition of ``marketing,'' 
we proposed to maintain the general concept that ``marketing'' means 
``to make a communication about a product or service that encourages 
recipients of the communication to purchase or use the product or 
service.'' In paragraph (2) of the definition, we proposed to include 
three exceptions to this definition to encompass certain treatment and 
health care operations communications about health-related products or 
services. First, we proposed to exclude from the definition of 
``marketing'' certain health care operations communications, except 
where, as provided by the HITECH Act, the covered entity receives 
financial remuneration in exchange for making the communication. This 
would encompass communications to describe a health-related product or 
service (or payment for such product or service) that is provided by, 
or included in a plan of benefits of, the covered entity making the 
communication, as well as communications for case management

[[Page 5593]]

or care coordination, contacting of individuals with information about 
treatment alternatives, and related functions (to the extent these 
activities did not constitute ``treatment'').
    Although the HITECH Act uses the term ``direct or indirect 
payment'' to describe the limitation on permissible health care 
operations disclosures, the proposed rule substituted the term 
``financial remuneration'' to avoid confusion with the term 
``payment,'' which is defined in the Privacy Rule to mean payment for 
health care, and for consistency with the Privacy Rule's current 
authorization requirement for marketing at Sec.  164.508(a)(3), which 
uses the term ``remuneration.'' We proposed to define ``financial 
remuneration'' in paragraph (3) of the definition of ``marketing'' to 
mean direct or indirect payment from or on behalf of a third party 
whose product or service is being described. We also proposed to make 
clear, in accordance with section 13406(a)(4) of the HITECH Act, that 
financial remuneration does not include any direct or indirect payment 
for the treatment of an individual.
    Additionally, because the HITECH Act refers expressly to 
``payment,'' rather than remuneration more generally, the proposed rule 
specified that only the receipt of financial remuneration in exchange 
for making a communication, as opposed to in-kind or any other type of 
remuneration, is relevant for purposes of the definition of marketing. 
We also proposed a conforming change to the required authorization 
provisions for marketing communications at Sec.  164.508(a)(3) to add 
the term ``financial'' before ``remuneration'' and to refer to the new 
definition of ``financial remuneration.''
    The proposed rule emphasized that financial remuneration for 
purposes of the definition of ``marketing'' must be in exchange for 
making the communication itself and be from or on behalf of the entity 
whose product or service is being described. Thus, under these proposed 
provisions, an authorization would be required prior to a covered 
entity making a communication to its patients regarding the acquisition 
of, for example, new state of the art medical equipment if the 
equipment manufacturer paid the covered entity to send the 
communication to its patients; but not if a local charitable 
organization, such as a breast cancer foundation, funded the covered 
entity's mailing to patients about new state of the art mammography 
screening equipment. Furthermore, it would not constitute marketing and 
no authorization would be required if a hospital sent flyers to its 
patients announcing the opening of a new wing where the funds for the 
new wing were donated by a third party, since the financial 
remuneration to the hospital from the third party was not in exchange 
for the mailing of the flyers.
    Second, we proposed to include the statutory exception to marketing 
at section 13406(a)(2)(A) for communications regarding refill reminders 
or otherwise about a drug or biologic that is currently being 
prescribed for the individual, provided any financial remuneration 
received by the covered entity for making the communication is 
reasonably related to the covered entity's cost of making the 
communication. The Act expressly identifies these types of 
communications as being exempt from the remuneration limitation only to 
the extent that any payment received for making the communication is 
reasonable in amount. We requested comment on the scope of this 
exception, that is, whether communications about drugs that are related 
to the drug currently being prescribed, such as communications 
regarding generic alternatives or new formulations of the drug, should 
fall within the exception. We also requested comment on the types and 
amount of costs that should be allowed under this provision. We noted 
that we had considered proposing a requirement that a covered entity 
could only receive financial remuneration for making such a 
communication to the extent it did not exceed the actual cost to make 
the communication. However, because we were concerned that such a 
requirement would impose the additional burden of calculating the costs 
of making each communication, we proposed to allow costs that are 
reasonably related to a covered entity's cost of making the 
communication.
    Third, we proposed to exclude from marketing treatment 
communications about health-related products or services by a health 
care provider to an individual, including communications for case 
management or care coordination for the individual, or to direct or 
recommend alternative treatments, therapies, health care providers, or 
settings of care to the individual, provided, however, that if the 
communications are in writing and financial remuneration is received in 
exchange for making the communications, certain notice and opt out 
conditions are met. While section 13406(a) of the HITECH Act expressly 
provides that a communication to an individual about a health-related 
product or service where the covered entity receives payment from a 
third party in exchange for making the communication shall not be 
considered a health care operation (emphasis added) under the Privacy 
Rule, and thus is marketing, it is unclear how Congress intended these 
provisions to apply to treatment communications between a health care 
provider and a patient. Specifically, it is unclear whether Congress 
intended to restrict only those subsidized communications about 
products and services that are less essential to an individual's health 
care (i.e., those classified as health care operations communications) 
or all subsidized communications about products and services, including 
treatment communications. Given this ambiguity and to avoid undue 
interference with treatment communications between the individual and a 
health care provider, we proposed to continue to allow subsidized 
treatment communications, but conditioned on providing the individual 
with notice and an opportunity to opt out of receiving such 
communications. Specifically, to ensure the individual is aware that he 
or she may receive subsidized treatment communications from his or her 
provider and has the opportunity to elect not to receive them, the 
proposed rule would have required at Sec.  164.514(f)(2) that: (1) The 
covered health care provider's notice of privacy practices include a 
statement informing individuals that the provider may send treatment 
communications to the individual concerning treatment alternatives or 
other health-related products or services where the provider receives 
financial remuneration from a third party in exchange for making the 
communication, and the individual has a right to opt out of receiving 
such communications; and (2) the treatment communication itself 
disclose the fact of remuneration and provide the individual with a 
clear and conspicuous opportunity to elect not to receive any further 
such communications. We requested comment on how the opt out should 
apply to future subsidized treatment communications (i.e., should the 
opt out prevent all future subsidized treatment communications by the 
provider or just those dealing with the particular product or service 
described in the current communication?). We also requested comment on 
the workability of requiring health care providers that intend to send 
subsidized treatment communications to individuals to provide an 
individual with the opportunity to opt out of receiving such 
communications prior to the individual receiving the first 
communication and what mechanisms

[[Page 5594]]

could be put into place to implement such a requirement.
    Given that the new marketing limitations on the receipt of 
remuneration by a covered entity would apply differently depending on 
whether a communication is for treatment or health care operations 
purposes, and that distinguishing such communications may in many cases 
call for close judgments, we requested comment on the alternatives of 
excluding treatment communications altogether even if they involve 
financial remuneration from a third party or requiring individual 
authorization for both treatment and health care operations 
communications made in exchange for financial remuneration.
    Finally, we proposed to remove the language defining as marketing 
an arrangement between a covered entity and any other entity in which 
the covered entity discloses protected health information to the other 
entity, in exchange for remuneration, for the other entity or its 
affiliate to make a communication about its own product or service that 
encourages recipients of the communication to purchase or use that 
product or service, since such activity would now constitute a 
prohibited ``sale'' of protected health information under section 
13405(d) of the HITECH Act and the proposed rule.
Overview of Public Comments
    Several commenters asked as a general matter that the final rule 
retain the current definition of ``marketing'' and that no changes to 
this provision be implemented. With respect to subsidized treatment 
communications, many commenters expressed support for the decision in 
the NPRM to not require authorizations for such communications, and 
several argued for removing even the opt out requirement. Other 
commenters believed that all communications in which the covered entity 
receives financial remuneration for making the communication, 
regardless of whether the communication is for treatment purposes, 
should be considered marketing and require authorization.
    While many commenters were generally in support of not requiring 
authorization for treatment communications, at the same time, several 
commenters expressed concern with the difficulty of distinguishing 
between treatment communications and communications for health care 
operations purposes. These commenters stated that additional 
clarification regarding this distinction would be needed to be able to 
implement the NPRM's marketing provisions. Several commenters stated 
that while the distinction may be clear in some limited circumstances, 
there are other circumstances where it may be difficult for covered 
entities to determine what type of communication they are sending and 
whether authorization or just disclosure in the notice of privacy 
practices and the opportunity to opt out would be required. For 
example, while the NPRM stated that whether a communication is being 
made for treatment purposes or for health care operations purposes 
would depend on the extent to which the covered entity is making the 
communication in a population-based fashion (health care operations) or 
to further the treatment of a particular individual's health care 
status or condition (treatment), many commenters stated that there may 
be circumstances in which a covered entity provides a population-based 
communication to further the treatment of the health care status or 
condition of an entire group of individuals. Other commenters suggested 
that the distinction between communications for treatment and those for 
health care operations purposes should be made based on the entity 
providing the communication: If a health care provider is providing the 
communication, it should be deemed for treatment purposes; however, if 
the communication is made by a covered entity other than a health care 
provider, the determination should be based on whether the 
communication is individual (treatment) or population based (health 
care operations).
    With respect to the subsidized treatment communications, commenters 
opposed to the opt out notification generally took one of three 
positions: All such communications should require authorizations to 
best protect patient privacy; an opt in method would better permit 
individuals to make more informed choices about whether to receive such 
communications; or a covered entity should be permitted to make these 
communications without an opportunity to opt out, because of unintended 
effects that may adversely affect the quality of care provided. Some 
commenters asked, if the opt out requirement is retained, that OCR 
ensure that covered entities are given significant flexibility in 
determining how best to implement the opt out requirement.
    Additionally, the vast majority of commenters did not believe there 
should be an opportunity to opt out of receiving subsidized treatment 
communications prior to receipt of the first such communication. The 
commenters believed that requiring an opportunity to opt out prior to 
the first communication would be too costly and burdensome for most 
covered entities. Many also noted that the statement in the notice of 
privacy practices, which would inform individuals of their option to 
opt out of receiving subsidized treatment communications, could serve 
as an opportunity to opt out before the first communication. Some 
commenters expressed concern even with including a statement in the 
notice of privacy practices because of the cost associated with 
modifying notices to do so.
    With respect to the scope of the proposed opt out, most commenters 
believed that the opt out should apply only to subsidized treatment 
communications related to a specific product or service and should not 
apply universally to all similar future communications from the covered 
entity. These commenters stated that it would be difficult for an 
individual to elect, in a meaningful way, not to receive all future 
subsidized treatment communications because he or she would not know 
exactly what he or she is opting out of without receiving at least one 
communication. Other commenters believed that while a product or 
service-specific application of the opt out would be ideal, it is 
simply unrealistic and infeasible for covered entities to be able to 
implement such a policy. These commenters stated that a universal opt 
out, which would apply to all future subsidized treatment 
communications, would be much simpler and easier for covered entities 
to implement. Additionally, while some commenters believed that 
individuals should be able to decide whether they want to opt out of 
specific subsidized treatment communications or all future such 
communications, most commenters supported giving covered entities the 
flexibility to determine the scope of this opt out provision based on 
their own specific capabilities. Many of these commenters also 
suggested that the final rule permit individuals who have opted out of 
receiving such communications to opt back in to receive future notices 
using the same methods through which the individuals had opted out.
    The Department also received several comments on the definition of 
``financial remuneration.'' Several commenters supported the NPRM's 
definition of ``financial remuneration''; however, many commenters 
asked for clarification regarding the scope of the definition and the 
meaning of the phrase ``direct or indirect payment.'' For example, some 
commenters asked for confirmation that non-financial benefits did not 
constitute financial

[[Page 5595]]

remuneration, while other commenters wanted the exception for refill 
reminders (that is, the communication is not marketing as long as the 
financial remuneration does not exceed the related costs of the 
communication) to apply more broadly to all marketing communications. 
Additionally, some commenters suggested that the final rule clarify 
that only financial remuneration in exchange for sending a 
communication triggers either the authorization or the statement of 
notice and opt out requirement and not the exchange of financial 
remuneration for the development or funding for programs, which may 
include the sending of a communication. These commenters generally 
suggested that the final rule give covered entities the flexibility to 
determine whether the financial remuneration received is truly in 
exchange for making the communication.
    We received a great deal of public comment on the exception to the 
definition of ``marketing'' for providing refill reminders or to 
otherwise communicate about a drug or biologic currently being 
prescribed for the individual where the only financial remuneration 
received by the covered entity in exchange for making the communication 
is reasonably related to the covered entity's cost of making the 
communication. In general, most commenters supported this exception; 
however, a few commenters disagreed with the exception and felt that 
refill reminders should be treated as treatment communications 
requiring a statement in the notice and an opportunity to opt out if 
the communication is subsidized. Many commenters expressed the need for 
guidance on the scope of this exception and stated that certain 
communications should fall into the exception, such as communications 
about generic alternatives and drug adherence, and communications 
related to every component of a drug or biologic delivery system 
(especially where patients must self-administer medication). Some 
commenters specifically asked that the final rule exclude certain types 
of communications from this exception.
    With respect to the proposed cost limitation on the refill reminder 
exception, while some commenters suggested that the cost be limited to 
either the actual cost or the fair market value of providing the 
communication, generally, most commenters supported the position that 
reasonably related costs should not be limited to actual costs. Many of 
the commenters in support of a broad interpretation of costs 
``reasonably related'' to providing the communication suggested 
specific costs that should be permitted under this exception, such as 
costs of personnel, data storage, data processing, data analysis, data 
security, software, hardware, employee training, message content 
development, clinical review, postage, materials, drug adherence 
program development, formulary development, and the creation and 
implementation of analytics to measure the effectiveness of the 
communication. Several commenters noted that it would be unrealistic to 
expect a covered entity to perform such non-essential functions as 
sending refill reminders and other related communications if they could 
not recoup both their direct and indirect costs as well as a modest 
profit.
Final Rule
    The final rule significantly modifies the proposed rule's approach 
to marketing by requiring authorization for all treatment and health 
care operations communications where the covered entity receives 
financial remuneration for making the communications from a third party 
whose product or service is being marketed. Many of the comments we 
received in response to the proposed marketing provisions concerned the 
distinction between communications for treatment and those for health 
care operations purposes and sought clarification on the line between 
such communications. We acknowledge that the distinction between what 
constitutes a treatment versus a health care operations communication 
may be difficult to make with precision in all cases, placing covered 
entities at risk for violating the authorization requirement for 
marketing communications. We, therefore, believe that requiring 
authorizations for all subsidized communications that market a health 
related product or service is the best policy. Such a policy will 
ensure that all such communications are treated as marketing 
communications, instead of requiring covered entities to have two 
processes in place based on whether the communication provided to 
individuals is for a treatment or a health care operations purpose. We 
decline to retain the Privacy Rule's definition of what constitutes 
``marketing'' unchanged, as suggested by some commenters, as doing so 
would be inconsistent with the provisions of the Section 13406(a) of 
the HITECH Act.
    Because the final rule treats subsidized treatment communications 
as marketing communications that require authorization, we have not 
adopted the notice requirement at proposed Sec.  164.520(b)(1)(iii)(A) 
that a covered entity's notice of privacy practices include a statement 
informing individuals that the provider may send treatment 
communications to the individual concerning treatment alternatives or 
other health-related products or services where the provider receives 
financial remuneration from a third party in exchange for making the 
communication, and the individual has a right to opt out of receiving 
such communications. We also do not retain the notice requirement that 
existed at Sec.  164.520(b)(1)(iii) prior to this final rule that a 
covered entity include in its notice of privacy practices a statement 
that the covered entity may contact the individual to provide 
appointment reminders or information about treatment alternatives or 
other health-related benefits and services that may be of interest to 
the individual. Where the sending of such communications involves 
financial remuneration, the individual will be notified of such 
communications through the authorization process. Other communications 
for such purposes that do not involve financial remuneration are 
adequately captured in a covered entity's description in its notice of 
privacy practices of treatment and health care operations. However, 
covered entities that wish to continue to include such a specific 
statement in their notices of privacy practices may do so. For further 
discussion about the Notice of Privacy Practices, please see the 
discussion addressing the provisions at Sec.  164.520 below.
    We adopt the term ``financial remuneration'' and its definition as 
proposed without modification in the final rule. Most commenters were 
generally satisfied with the proposed use of the term and its 
definition. There was, however, some confusion among commenters as to 
what constitutes direct or indirect payment from or on behalf of a 
third party. We clarify that under this provision direct payment means 
financial remuneration that flows from the third party whose product or 
service is being described directly to the covered entity. In contrast, 
indirect payment means financial remuneration that flows from an entity 
on behalf of the third party whose product or service is being 
described to a covered entity.
    We also clarify that where a business associate (including a 
subcontractor), as opposed to the covered entity itself, receives 
financial remuneration from a third party in exchange for making a 
communication about a product or service, such communication also 
requires prior authorization from the individual. The HITECH Act at 
Section 13406(a)(2)(C) provides that a business

[[Page 5596]]

associate may make such communications on behalf of a covered entity if 
consistent with the written contract required by the Privacy Rule 
between the business associate and covered entity. The Privacy Rule a 
Sec.  164.504(e)(2)(i) provides that the contract may not authorize the 
business associate to further use or disclose the protected health 
information in a manner that would violate the Rule if done by the 
covered entity (except in two limited circumstances not relevant here). 
Thus, individual authorization also must be obtained if a business 
associate is to send these communications instead of the covered 
entity.
    We also confirm, in response to comments, that the term ``financial 
remuneration'' does not include non-financial benefits, such as in-kind 
benefits, provided to a covered entity in exchange for making a 
communication about a product or service. Rather, financial 
remuneration includes only payments made in exchange for making such 
communications. In addition, we continue to emphasize that the 
financial remuneration a covered entity receives from a third party 
must be for the purpose of making a communication and such 
communication must encourage individuals to purchase or use the third 
party's product or service. If the financial remuneration received by 
the covered entity is for any purpose other than for making the 
communication, then this marketing provision does not apply. For 
example, if a third party provides financial remuneration to a covered 
entity to implement a program, such as a disease management program, 
the covered entity could provide individuals with communications about 
the program without obtaining individual authorization as long as the 
communications are about the covered entity's program itself. There, 
the communications would only be encouraging individuals to participate 
in the covered entity's disease management program and would not be 
encouraging individuals to use or purchase the third party's product or 
service.
    Under the final rule, for marketing communications that involve 
financial remuneration, the covered entity must obtain a valid 
authorization from the individual before using or disclosing protected 
health information for such purposes, and such authorization must 
disclose the fact that the covered entity is receiving financial 
remuneration from a third party. See Sec.  164.508(a)(3). The scope of 
the authorization need not be limited only to subsidized communications 
related to a single product or service or the products or services of 
one third party, but rather may apply more broadly to subsidized 
communications generally so long as the authorization adequately 
describes the intended purposes of the requested uses and disclosures 
(i.e., the scope of the authorization) and otherwise contains the 
elements and statements of a valid authorization under Sec.  164.508. 
This includes making clear in the authorization that the individual may 
revoke the authorization at any time he or she wishes to stop receiving 
the marketing material.
    Because the final rule will treat all subsidized treatment 
communications as marketing communications for which an authorization 
is required, the final rule also removes the language at proposed Sec.  
164.514(f)(2), which proposed to require that such communications be 
accompanied by a statement in the notice and an opportunity for the 
individual to opt out of receiving such communications. We believe that 
the removal of the notice and opt out requirements for such 
communications and the addition of the requirement to obtain an 
authorization will provide covered entities with a more uniform system 
for treating all remunerated communications. Because the individual 
must now sign an authorization before the covered entity can make 
subsidized treatment communications, there is no longer any need to 
require each such communication to contain a clear and conspicuous 
opportunity for the individual to elect not to receive any more of 
these communications. Where the individual signs an authorization to 
receive such communications, the covered entity may use and disclose 
the individual's protected health information for the purposes of 
making such communications unless or until the individual revokes the 
authorization pursuant to Sec.  164.508(a)(5). If the individual does 
not authorize the covered entity to use and disclose the individual's 
protected health information for the purposes of making subsidized 
treatment communications, then the covered entity is prohibited from 
doing so.
    We clarify that the final rule does nothing to modify the 
exceptions to the authorization requirement for marketing 
communications at Sec.  164.508(a)(3)(i)(A) and (B). Therefore, no 
authorization is required where a covered entity receives financial 
remuneration from a third party to make a treatment or health care 
operations communication (or other marketing communication), if the 
communication is made face-to-face by a covered entity to an individual 
or consists of a promotional gift of nominal value provided by the 
covered entity. For example, a health care provider could, in a face to 
face conversation with the individual, recommend, verbally or by 
handing the individual written materials such as a pamphlet, that the 
individual take a specific alternative medication, even if the provider 
is otherwise paid by a third party to make such communications. 
However, communications made over the phone (as well as all 
communications sent through the mail or via email) do not constitute 
face to face communications, and as such, these communications require 
individual authorization where the covered entity receives remuneration 
in exchange for making the communications.
    With respect to the exception for refill reminders or to otherwise 
communicate about a drug or biologic currently being prescribed to the 
individual, we adopt the exception as proposed. We continue to provide 
a stand-alone exception for refill reminders, given that the HITECH Act 
expressly does so. We therefore decline to adopt the suggestions of 
commenters to consider these communications to specifically be 
treatment communications (which would have required, under the 
provisions of the proposed rule, notice and an opportunity to opt out 
where the covered entity receives financial remuneration), or health 
care operations communications (which require authorization if 
financial remuneration is received).
    Many commenters asked for guidance and clarification regarding the 
scope of this exception, and we received a wide array of examples of 
communications that commenters suggested should fall within this 
exception. At this time, we clarify that we consider communications 
about the generic equivalent of a drug being prescribed to an 
individual as well as adherence communications encouraging individuals 
to take their prescribed medication as directed fall within the scope 
of this exception. Additionally, we clarify that where an individual is 
prescribed a self-administered drug or biologic, communications 
regarding all aspects of a drug delivery system, including, for 
example, an insulin pump, fall under this exception. With respect to 
the array of other examples and suggestions provided by commenters as 
to what should fall within or outside of the exception, we intend to 
provide future guidance to address these questions.
    The proposed rule contained the Act's limitation that the financial

[[Page 5597]]

remuneration received in exchange for providing a refill reminder or to 
otherwise communicate about a drug or biologic currently being 
prescribed to the individual must be ``reasonable in amount,'' by 
providing that such remuneration must be reasonably related to the 
covered entity's cost of making the communication for the exception 
from marketing to apply. We adopt this provision in the final rule. In 
response to comments regarding what types of costs fall within 
permissible remuneration, we clarify that we consider permissible costs 
for which a covered entity may receive remuneration under this 
exception are those which cover only the costs of labor, supplies, and 
postage to make the communication. Where the financial remuneration a 
covered entity receives in exchange for making the communication 
generates a profit or includes payment for other costs, such financial 
remuneration would run afoul of the Act's ``reasonable in amount'' 
language. Thus, under this final rule, if a pharmacy receives financial 
remuneration from a drug manufacturer to provide refill reminders to 
individuals taking a particular drug that covers only the pharmacy's 
cost of drafting, printing, and mailing the refill reminders, the 
exception would apply and no authorization would be required. However, 
where the drug manufacturer also provides the pharmacy with a financial 
incentive beyond the cost of making the communication to encourage the 
pharmacy's continued willingness to send such communications on behalf 
of the drug manufacturer, the exception would not apply and the 
pharmacy must obtain individual authorization. We note, however, that 
if a pharmacy provides refill reminders to individuals only when they 
visit the pharmacy (in face to face encounters), such communications 
would be permitted under Sec.  164.508(a)(3)(i)(A) and thus, 
authorization would not be required even if the pharmacy receives 
financial remuneration above and beyond what is reasonably related to 
the pharmacy's cost of making the communication.
    Finally, in addition to the communications that fall within the 
refill reminder exception, two other types of communications continue 
to be exempt from the marketing provisions. First, as explained in the 
NPRM, communications promoting health in general and that do not 
promote a product or service from a particular provider, such as 
communications promoting a healthy diet or encouraging individuals to 
get certain routine diagnostic tests, such as annual mammograms, do not 
constitute marketing and thus, do not require individual authorization.
    Second, communications about government and government-sponsored 
programs do not fall within the definition of ``marketing'' as there is 
no commercial component to communications about benefits through public 
programs. Therefore, a covered entity may use and disclose protected 
health information to communicate with individuals about eligibility 
for programs, such as Medicare, Medicaid, or the State Children's 
Health Insurance Program (CHIP) without obtaining individual 
authorization.
Response to Other Public Comments
    Comment: One commenter asked whether it is marketing where an 
entity promotes its discounts on covered benefits or member-exclusive 
value-added health products and services by paying a mailing house that 
is the health plan's business associate to send its written promotional 
material to health plan members. The commenter stated that only the 
mailing house, and not the covered entity, is paid to send the 
communications.
    Response: Even where a business associate of a covered entity, such 
as a mailing house, rather than the covered entity itself, receives the 
financial remuneration from the entity whose product or service is 
being promoted to health plan members, the communication is a marketing 
communication for which prior authorization is required. As stated 
above, under the Privacy Rule, a business associate generally may not 
use or disclose protected health information in a manner that would be 
impermissible if done by the covered entity. We note, however, that 
non-financial or in-kind remuneration may be received by the covered 
entity or its business associate and it would not implicate the new 
marketing restrictions. Thus, if the materials describing a member-
exclusive value-added health product or service were provided by the 
entity to the health plan or its business associate and no payment was 
made by the entity relating to the mailing or distribution of the 
materials, the covered entity or its business associate would be able 
to provide the material to its members without requiring an 
authorization.
3. Business Associates
a. Section 164.502(a) and (b)--Permitted and Required Uses and 
Disclosures and Minimum Necessary
    Before the HITECH Act, the Privacy Rule did not govern business 
associates directly. However, section 13404 of the HITECH Act makes 
specific requirements of the Privacy Rule applicable to business 
associates, and creates direct liability for noncompliance by business 
associates with regard to those Privacy Rule requirements. 
Specifically, section 13404(a) of the HITECH Act creates direct 
liability for uses and disclosures of protected health information by 
business associates that do not comply with its business associate 
contract or other arrangement under the Privacy Rule. Additionally, 
section 13404(a) applies the other privacy requirements of the HITECH 
Act directly to business associates just as they apply to covered 
entities. Section 13404(b) applies the provision of Sec.  
164.504(e)(1)(ii) regarding knowledge of a pattern of activity or 
practice that constitutes a material breach or violation of a contract 
to business associates. Finally, section 13404(c) applies the HIPAA 
civil and criminal penalties to business associates. We discuss the 
modifications to the Privacy Rule pursuant to paragraphs (a) and (b) of 
section 13404 of the HITECH Act below. We address the modifications 
made to the Enforcement Rule by section 13404(c) regarding the 
application of penalties to violations by business associates above in 
the discussion of the changes to the Enforcement Rule.
    We note that we have not added references to ``business associate'' 
to all provisions of the Privacy Rule that address uses and disclosures 
by covered entities. Such additions to the Privacy Rule are 
unnecessary, as a business associate generally may only use or disclose 
protected health information in the same manner as a covered entity. 
Therefore, any Privacy Rule limitation on how a covered entity may use 
or disclose protected health information automatically extends to a 
business associate.
i. Permitted and Required Uses and Disclosures
Proposed Rule
    We proposed to modify Sec.  164.502(a) of the Privacy Rule 
containing the general rules for uses and disclosures of protected 
health information to address the permitted and required uses and 
disclosures of protected health information by business associates. 
First, we proposed to modify

[[Page 5598]]

Sec.  164.502(a) to provide that a business associate, like a covered 
entity, may not use or disclose protected health information except as 
permitted or required by the Privacy Rule or the Enforcement Rule. 
Second, we proposed to add new provisions at Sec.  164.502(a)(4) and 
(5) to specify the permitted and required uses and disclosures of 
protected health information by business associates.
    In accordance with section 13404(a) of the HITECH Act, we proposed 
in Sec.  164.502(a)(4) to allow business associates to use or disclose 
protected health information only as permitted or required by their 
business associate contracts or other arrangements pursuant to Sec.  
164.504(e) or as required by law. Any other use or disclosure would 
violate the Privacy Rule. Proposed Sec.  164.502(a)(4) also provided 
that a business associate would not be permitted to use or disclose 
protected health information in a manner that would violate the Privacy 
Rule if done by the covered entity, except that the business associate 
would be permitted to use or disclose protected health information for 
the proper management and administration of the business associate and 
to provide data aggregation services for the covered entity, as 
specified at Sec.  164.504(e)(2)(i)(A) and (B), if such uses and 
disclosures are permitted by its business associate contract or other 
arrangement.
    In Sec.  164.502(a)(5), we proposed to require that a business 
associate disclose protected health information either: (1) When 
required by the Secretary under Subpart C of Part 160 to investigate or 
determine the business associate's compliance with this subchapter; or 
(2) to the covered entity, individual, or individual's designee, as 
necessary to satisfy a covered entity's obligations under Sec.  
164.524(c)(2)(ii) and (3)(ii), as modified, with respect to an 
individual's request for an electronic copy of protected health 
information. Section 13405(e) of the HITECH Act requires covered 
entities that maintain protected health information in an electronic 
health record to provide an individual, or the individual's designee, 
with a copy of such information in an electronic format, if the 
individual so chooses. We proposed to include a similar direct 
requirement on business associates in Sec.  164.502(a)(5), as section 
13404(a) of the HITECH Act also applies section 13405(e) to business 
associates.
    We also proposed a conforming change to revise the titles of Sec.  
164.502(a)(1) and (a)(2) to make clear that these provisions setting 
out permitted uses and disclosures of protected health information 
apply only to covered entities, as well as a technical change to Sec.  
164.502(a)(2)(ii) to replace the term ``subpart'' with ``subchapter'' 
to make clear that a covered entity is required to disclose protected 
health information to the Secretary as needed to determine compliance 
with any of the HIPAA Rules and not just the Privacy Rule.
Overview of Public Comments
    Several commenters expressed concern about the increased liability 
for business associates under the rule and requested clarification on 
when business associate liability for impermissible uses and 
disclosures would attach. Several commenters asked for clarification as 
to what a business associate is directly liable for under the Privacy 
Rule, and some expressed specific confusion regarding the liability of 
business associates for the provision of e-access under the rule.
Final Rule
    The final rule adopts the proposed modifications to Sec.  
164.502(a). The provisions specifying a business associate's permitted 
and required uses and disclosures of protected health information are 
renumbered from Sec.  164.502(a)(4) and (a)(5), as proposed, to Sec.  
164.502(a)(3) and (a)(4), as Sec.  164.502(a)(5) of the final rule now 
includes provisions to address prohibited uses and disclosures. Section 
164.502(a)(5) is discussed below in the sections describing the 
prohibitions on the sale of protected health information and the use or 
disclosure of genetic information for underwriting purposes.
    In response to specific comments asking for clarification regarding 
when business associate liability would attach, we provide the 
following. As we discussed above, the final rule provides that a 
business associate is a person who performs functions or activities on 
behalf of, or certain services for, a covered entity or another 
business associate that involve the use or disclosure of protected 
health information. The final rule establishes that a person becomes a 
business associate by definition, not by the act of contracting with a 
covered entity or otherwise. Therefore, liability for impermissible 
uses and disclosures attaches immediately when a person creates, 
receives, maintains, or transmits protected health information on 
behalf of a covered entity or business associate and otherwise meets 
the definition of a business associate.
    Liability also does not depend on the type of protected health 
information that a business associate creates, receives, maintains, or 
transmits on behalf of a covered entity or another business associate, 
or on the type of entity performing the function or service, except to 
the extent the entity falls within one of the exceptions at paragraph 4 
of the definition of business associate. First, protected health 
information created, received, maintained, or transmitted by a business 
associate may not necessarily include diagnosis-specific information, 
such as information about the treatment of an individual, and may be 
limited to demographic or other information not indicative of the type 
of health care services provided to an individual. If the information 
is tied to a covered entity, then it is protected health information by 
definition since it is indicative that the individual received health 
care services or benefits from the covered entity, and therefore it 
must be protected by the business associate in accordance with the 
HIPAA Rules and its business associate agreement. Second, the 
definition of business associate is contingent on the fact that the 
business associate performs certain activities or functions on behalf 
of, or provides certain services to, a covered entity or another 
business associate that involve the use or disclosure of protected 
health information. Therefore, any person, defined in the HIPAA Rules 
as a natural person, trust or estate, partnership, corporation, 
professional association or corporation, or other entity, public or 
private, who performs these functions or activities or services is a 
business associate for purposes of the HIPAA Rules, regardless of 
whether such person has other professional or privilege-based duties or 
responsibilities.
    Finally, while we understand commenters' concerns about the 
increased liability for business associates under the HIPAA Rules, such 
direct liability for violations of certain HIPAA provisions is 
expressly provided for by the HITECH Act.
    In response to comments requesting clarification on with which 
HIPAA provisions a business associate is directly liable for 
compliance, we provide the following. Business associates are directly 
liable under the HIPAA Rules for impermissible uses and disclosures,\4\ 
for a failure to provide breach notification to the covered entity,\5\ 
for a failure to provide access to a copy of electronic protected 
health information to either the covered entity, the individual, or the 
individual's designee (whichever is specified in the

[[Page 5599]]

business associate agreement),\6\ for a failure to disclose protected 
health information where required by the Secretary to investigate or 
determine the business associate's compliance with the HIPAA Rules,\7\ 
for a failure to provide an accounting of disclosures,\8\ and for a 
failure to comply with the requirements of the Security Rule.\9\ 
Business associates remain contractually liable for other requirements 
of the business associate agreement (see below for a discussion of the 
business associate agreement provisions).
---------------------------------------------------------------------------

    \4\ See Sec.  164.502(a)(3).
    \5\ See Sec.  164.410.
    \6\ See Sec.  164.502(a)(4)(ii).
    \7\ See Sec.  164.502(a)(4)(i).
    \8\ See 76 FR 31426 (May 31, 2011).
    \9\ See Subpart C of Part 164.
---------------------------------------------------------------------------

    With respect to a business associate's direct liability for a 
failure to provide access to a copy of electronic protected health 
information, business associates are liable for providing electronic 
access in accordance with their business associate agreements. 
Therefore, business associates may provide electronic access directly 
to individuals or their designees, or may provide the electronic 
protected health information to the covered entity (which then provides 
the electronic access to individuals or their designees). As with many 
other provisions in the HIPAA Rules, the Department leaves the details 
to the contracting parties, and is concerned only that access is 
provided to the individual, not with which party provides the access.
ii. Minimum Necessary
Proposed Rule
    We proposed to modify the minimum necessary standard at Sec.  
164.502(b) to require that when business associates use, disclose, or 
request protected health information from another covered entity, they 
limit protected health information to the minimum necessary to 
accomplish the intended purpose of the use, disclosure, or request. 
Applying the minimum necessary standard is a condition of the 
permissibility of many uses and disclosures of protected health 
information. Thus, a business associate is not making a permitted use 
or disclosure under the Privacy Rule if it does not apply the minimum 
necessary standard, where appropriate. Additionally, the HITECH Act at 
section 13405(b) addresses the application of minimum necessary and, in 
accordance with 13404(a), also applies such requirements to business 
associates.
Overview of Public Comments
    While the Department received general support for application of 
the minimum necessary standard to requests and uses and disclosures by 
business associates, several commenters requested clarification on such 
application.
Final Rule
    The final rule adopts the proposal to apply the minimum necessary 
standard directly to business associates when using or disclosing 
protected health information or when requesting protected health 
information from another covered entity. The final rule also makes 
clear that requests directed to another business associate, in addition 
to those directed to another covered entity, must also be limited to 
the minimum necessary. Covered entities and business associates 
disclosing protected health information in response may reasonably rely 
on such requests as requesting the minimum necessary for the 
disclosure.
    How a business associate will apply the minimum necessary standard 
will vary based on the circumstances. As is the case today, a business 
associate agreement must limit the business associate's uses and 
disclosures of protected health information to be consistent with the 
covered entity's minimum necessary policies and procedures. We leave it 
to the discretion of the parties to determine to what extent the 
business associate agreement will include specific minimum necessary 
provisions to ensure a business associate's uses and disclosures and 
requests for protected health information are consistent with the 
covered entity's minimum necessary policies and procedures. The 
Department intends to issue future guidance on the minimum necessary 
standard in accordance with section 13405(b) of the HITECH Act that 
will consider the specific questions posed by commenters with respect 
to business associates' application of the minimum necessary standard.
b. Sections 164.502(e) and 164.504(e)--Business Associate Agreements
Proposed Rule
    Section 164.502(e) permits a covered entity to disclose protected 
health information to a business associate and may allow a business 
associate to create or receive protected health information on its 
behalf, if the covered entity obtains satisfactory assurances, in the 
form of a written contract or other written arrangement with the 
business associate that meets the requirements of Sec.  164.504(e), 
that the business associate will appropriately safeguard the 
information. We proposed a parallel provision in Sec.  164.502(e) that 
would allow a business associate to disclose protected health 
information to a business associate that is a subcontractor, and to 
allow the subcontractor to create or receive protected health 
information on its behalf, if the business associate obtains similar 
satisfactory assurances that the subcontractor will appropriately 
safeguard the information. Consistent with the proposal with respect to 
Security Rule requirements and business associates, we proposed to make 
clear in Sec.  164.502(e) that a covered entity would not be required 
to obtain satisfactory assurances from business associates that are 
subcontractors. Rather, a business associate would be required to 
obtain such assurances from a subcontractor. Thus, the proposed 
provisions would not change the parties to the contracts. For example, 
a covered entity may choose to contract with a business associate 
(contractor) to use or disclose protected health information on its 
behalf, the business associate may choose to obtain the services of 
(and exchange protected health information with) a subcontractor 
(subcontractor 1), and that subcontractor may, in turn, contract with 
another subcontractor (subcontractor 2) for services involving 
protected health information. The contractor and subcontractors 1 and 2 
would now be business associates with direct liability under the HIPAA 
Rules, and would be required to obtain business associate agreements 
with the parties with whom they contract for services that involve 
access to protected health information. (Note, however, as discussed 
above with respect to the definition of ``business associate,'' direct 
liability under the HIPAA Rules would attach regardless of whether the 
contractor and subcontractors have entered into the required business 
associate agreements.)
    We also proposed to remove Sec.  164.502(e)(1)(iii), which provides 
that a covered entity that violates the satisfactory assurances it 
provided as a business associate of another covered entity will be in 
noncompliance with the Privacy Rule's business associate agreement 
provisions, given that proposed changes to Sec.  164.502 would now 
restrict directly the uses and disclosures of protected health 
information by a business associate, including a covered entity acting 
as a business associate, to those uses and disclosures permitted by its 
business associate agreement.

[[Page 5600]]

    Finally, as discussed above with respect to the definition of 
business associate, we proposed to move the current exceptions to 
business associate to the definition itself in Sec.  160.103.
    Section 164.504(e) contains the specific requirements for business 
associate contracts and other arrangements. We proposed a number of 
modifications to Sec.  164.504(e) to implement section 13404 of the 
HITECH Act and to reflect the Department's new regulatory authority 
with respect to business associates, as well as to reflect a covered 
entity's and business associate's new obligations under Subpart D of 
Part 164 of the Privacy Rule to provide for notification in the case of 
breaches of unsecured protected health information.
    Section 164.504(e)(1)(ii) provides that a covered entity is not in 
compliance with the business associate requirements if the covered 
entity knew of a pattern of activity or practice of the business 
associate that constituted a material breach or violation of the 
business associate's obligation under the contract or other 
arrangement, unless the covered entity took reasonable steps to cure 
the breach or end the violation, as applicable, and if such steps were 
unsuccessful, terminated the contract or arrangement or, if termination 
is not feasible, reported the problem to the Secretary. We proposed to 
remove the requirement that covered entities report to the Secretary 
when termination of a business associate agreement is not feasible. In 
light of a business associate's direct liability for civil money 
penalties for certain violations of the business associate agreement 
and both a covered entity's and business associate's obligations under 
Subpart D to report breaches of unsecured protected health information 
to the Secretary, we have other mechanisms through which we expect to 
learn of such breaches and misuses of protected health information by a 
business associate.
    We also proposed to add a new provision at Sec.  164.504(e)(1)(iii) 
applicable to business associates with respect to subcontractors to 
mirror the requirements on covered entities at Sec.  164.504(e)(1)(ii) 
(minus the requirement to report to the Secretary if termination of a 
contract is not feasible). Thus, a business associate that is aware of 
noncompliance by its business associate subcontractor would be required 
to respond to the situation in the same manner as a covered entity that 
is aware of noncompliance by its business associate. We believe this 
provision would implement section 13404(b) of the HITECH Act, and would 
align the requirements for business associates with regard to business 
associate subcontractors with the requirements for covered entities 
with regard to their business associates.
    We also proposed changes to the specific business associate 
agreement provisions at Sec.  164.504(e). First, we proposed to revise 
Sec.  164.504(e)(2)(ii)(B) through (D) to provide that the contract 
will require that: in (B), business associates comply, where 
applicable, with the Security Rule with regard to electronic protected 
health information; in (C), business associates report breaches of 
unsecured protected health information to covered entities, as required 
by Sec.  164.410; and in (D), in accordance with Sec.  
164.502(e)(1)(ii), business associates ensure that any subcontractors 
that create or receive protected health information on behalf of the 
business associate agree to the same restrictions and conditions that 
apply to the business associate with respect to such information. These 
revisions were proposed to align the requirements for the business 
associate agreement with the requirements in the HITECH Act and 
elsewhere within the HIPAA Rules.
    Additionally, we proposed to add a new agreement provision at Sec.  
164.504(e)(2)(ii)(H) (and to renumber the current paragraphs (H) and 
(I) accordingly) to requires that, to the extent the business associate 
is to carry out a covered entity's obligation under this subpart, the 
business associate must comply with the requirements of the Privacy 
Rule that apply to the covered entity in the performance of such 
obligation. This provision would clarify that when a covered entity 
delegates a responsibility under the Privacy Rule to the business 
associate, the business associate would be contractually required to 
comply with the requirements of the Privacy Rule in the same manner as 
they apply to the covered entity. For example, if a third party 
administrator, as a business associate of a group health plan, fails to 
distribute the plan's notice of privacy practices to participants on a 
timely basis, the third party administrator would not be directly 
liable under the HIPAA Rules, but would be contractually liable, for 
the failure. However, even though the business associate is not 
directly liable under the HIPAA Rules for failure to provide the 
notice, the covered entity remains directly liable for failure to 
provide the individuals with its notice of privacy practices because it 
is the covered entity's ultimate responsibility to do so, despite its 
having hired a business associate to perform the function.
    We also proposed to add a new Sec.  164.504(e)(5) that would apply 
the requirements at Sec.  164.504(e)(2) through (e)(4) to the contract 
or other arrangement between a business associate and its business 
associate subcontractor as required by Sec.  164.502(e)(1)(ii) in the 
same manner as such requirements apply to contracts or other 
arrangements between a covered entity and its business associate. Thus, 
a business associate would be required by Sec.  164.502(e)(1)(ii) and 
by this section to enter into business associate agreements or other 
arrangements that comply with the Privacy and Security Rules with their 
business associate subcontractors, in the same manner that covered 
entities are required to enter into contracts or other arrangements 
with their business associates.
    Finally, we proposed a few other minor changes. We proposed in 
Sec.  164.504(e)(3) regarding other arrangements for governmental 
entities to include references to the Security Rule requirements for 
business associates to avoid having to repeat such provisions in the 
Security Rule. We also proposed to remove the reference to 
subcontractors in Sec.  164.504(f)(2)(ii)(B) (regarding disclosures to 
plan sponsors) and in Sec.  164.514(e)(4)(ii)(C)(4) (regarding data use 
agreements for limited data sets) to avoid confusion since the term 
``subcontractor'' is now a defined term under the HIPAA Rules with a 
particular meaning that is related to business associates. The proposed 
removal of the term was not intended as a substantive change to the 
provisions.
Overview of Public Comments
    Several commenters expressed confusion regarding the need for 
business associate agreements, considering the provisions for direct 
liability from the HITECH Act and in the proposed rule. Many of these 
commenters suggested that all of the requirements of the Privacy Rule 
apply to business associates, as is the case with the Security Rule.
    A few commenters requested clarification about what constitutes 
``satisfactory assurances'' pursuant to the rule, asking whether, for 
example, there were expectations on covered entities to ensure that 
business associates (including subcontractors) have appropriate 
controls in place besides business associate agreements or whether a 
covered entity must obtain from a business associate satisfactory 
assurance that any business associate subcontractors are complying with 
the Rules. Several commenters requested clarification on the 
appropriateness of

[[Page 5601]]

indemnification clauses in business associate agreements.
    Finally, several commenters requested that the Department provide a 
model business associate agreement.
Final Rule
    The final rule adopts the proposed modifications to Sec. Sec.  
164.502(e) and 164.504(e). As we discussed above, while section 13404 
of the HITECH Act provides that business associates are now directly 
liable for civil money penalties under the HIPAA Privacy Rule for 
impermissible uses and disclosures and for the additional HITECH 
requirements in Subtitle D that are made applicable to covered 
entities, it does not apply all of the requirements of the Privacy Rule 
to business associates and thus, the final rule does not. Therefore, 
business associates are not required to comply with other provisions of 
the Privacy Rule, such as providing a notice of privacy practices or 
designating a privacy official, unless the covered entity has chosen to 
delegate such a responsibility to the business associate, which would 
then make it a contractual requirement for which contractual liability 
would attach.
    Concerning commenters' questions about the continued need for 
business associate agreements given the new direct liability on 
business associates for compliance, we note that section 13404 of the 
HITECH Act expressly refers and ties business associate liability to 
making uses and disclosures in accordance with the uses and disclosures 
laid out in such agreements, rather than liability for compliance with 
the Privacy Rule generally. Further, section 13408 of the HITECH Act 
requires certain data transmission and personal health record vendors 
to have in place business associate agreements with the covered 
entities they serve. We also continue to believe that, despite the 
business associate's direct liability for certain provisions of the 
HIPAA Rules, the business associate agreement is necessary to clarify 
and limit, as appropriate, the permissible uses and disclosures by the 
business associate, given the relationship between the parties and the 
activities or services being performed by the business associate. The 
business associate agreement is also necessary to ensure that the 
business associate is contractually required to perform certain 
activities for which direct liability does not attach (such as amending 
protected health information in accordance with Sec.  164.526). In 
addition, the agreement represents an opportunity for the parties to 
clarify their respective responsibilities under the HIPAA Rules, such 
as by establishing how the business associate should handle a request 
for access to protected health information that it directly receives 
from an individual. Finally, the business associate agreement serves to 
notify the business associate of its status under the HIPAA Rules, so 
that it is fully aware of its obligations and potential liabilities.
    With respect to questions about ``satisfactory assurances,'' Sec.  
164.502(e) provides that covered entities and business associates must 
obtain and document the ``satisfactory assurances'' of a business 
associate through a written contract or other agreement, such as a 
memorandum of understanding, with the business associate that meets the 
applicable requirements of Sec.  164.504(e). As discussed above, Sec.  
164.504(e) specifies the provisions required in the written agreement 
between covered entities and business associates, including a 
requirement that a business associate ensure that any subcontractors 
agree to the same restrictions and conditions that apply to the 
business associate by providing similar satisfactory assurances. Beyond 
the required elements at Sec.  164.504(e), as with any contracting 
relationship, business associates and covered entities may include 
other provisions or requirements that dictate and describe their 
business relationship, and that are outside the governance of the 
Privacy and Security Rules. These may or may not include additional 
assurances of compliance or indemnification clauses or other risk-
shifting provisions.
    We also clarify with respect to the satisfactory assurances to be 
provided by subcontractors, that the agreement between a business 
associate and a business associate that is a subcontractor may not 
permit the subcontractor to use or disclose protected health 
information in a manner that would not be permissible if done by the 
business associate. For example, if a business associate agreement 
between a covered entity and a contractor does not permit the 
contractor to de-identify protected health information, then the 
business associate agreement between the contractor and a subcontractor 
(and the agreement between the subcontractor and another subcontractor) 
cannot permit the de-identification of protected health information. 
Such a use may be permissible if done by the covered entity, but is not 
permitted by the contractor or any subcontractors if it is not 
permitted by the covered entity's business associate agreement with the 
contractor. In short, each agreement in the business associate chain 
must be as stringent or more stringent as the agreement above with 
respect to the permissible uses and disclosures.
    Finally, in response to the comments requesting a model business 
associate agreement, we note that the Department has published sample 
business associate provisions on its web site. The sample language is 
designed to help covered entities comply with the business associate 
agreement requirements of the Privacy and Security Rules. However, use 
of these sample provisions is not required for compliance with the 
Rules, and the language should be amended as appropriate to reflect 
actual business arrangements between the covered entity and the 
business associate (or a business associate and a subcontractor).
Response to Other Public Comments
    Comment: Commenters requested guidance on whether a contract that 
complies with the requirements of the Graham Leach Bliley Act (GLBA) 
and incorporates the required elements of the HIPAA Rules may satisfy 
both sets of regulatory requirements. The commenters urged the 
Department to permit a single agreement rather than requiring business 
associates and business associate subcontractors to enter into separate 
GLBA agreements and business associate agreements.
    Response: While meeting the requirements of the GLBA does not 
satisfy the requirements of the HIPAA Rules, covered entities may use 
one agreement to satisfy the requirements of both the GLBA and the 
HIPAA Rules.
    Comment: A few commenters recommended adding an exception to having 
a business associate agreement for a person that receives a limited 
dataset and executes a data use agreement for research, health care 
operations, or public health purposes.
    Response: We have prior guidance that clarifies that if only a 
limited dataset is released to a business associate for a health care 
operations purpose, then a data use agreement suffices and a business 
associate agreement is not necessary. To make this clear in the 
regulation itself, we are adding to Sec.  164.504(e)(3) a new paragraph 
(iv) that recognizes that a data use agreement may qualify as a 
business associate's satisfactory assurance that it will appropriately 
safeguard the covered entity's protected health information when the 
protected health information disclosed for a health care operations 
purpose is a limited data set. A similar provision is not necessary or 
appropriate for disclosures of limited data sets for research or public 
health purposes since such disclosures would

[[Page 5602]]

not otherwise require business associate agreements.
    Comment: A few commenters requested that the Department delete 
Sec.  164.504(e)(2)(ii)(H), which provides that to the extent the 
business associate is to carry out a covered entity's obligation under 
the HIPAA Rules, the business associate must comply with the 
requirements of the HIPAA Rules that apply to the covered entity in the 
performance of the obligation on behalf of the covered entity. 
Alternatively, commenters suggested that the Department clarify that 
the requirements of the section need not be included in business 
associate agreements and that this section does not limit the ability 
of covered entities and business associates to negotiate 
responsibilities with regard to other sections of the Privacy Rule.
    Response: The Department declines to delete Sec.  
164.504(e)(2)(ii)(H). If a business associate contracts to provide 
services to the covered entity with regard to fulfilling individual 
rights or other obligations of the covered entity under the Privacy 
Rule, then the business associate agreement must require the business 
associate to fulfill such obligation in accordance with the Privacy 
Rule's requirements. We do clarify, however, that if the covered entity 
does not delegate any of its responsibilities under the Privacy Rule to 
the business associate, then Sec.  164.504(e)(2)(ii)(H) is not 
applicable and the parties are not required to include such language.
    Comment: One commenter requested that the Department modify Sec.  
164.502(a)(4)(i) to permit business associates to use and disclose 
protected health information for their own health care operations 
purposes, and another commenter requested that the Department clarify 
whether Sec.  164.504(e)(4) provides that a business associate may use 
or disclose protected health information as a covered entity would use 
or disclose the information.
    Response: The Department declines to make the suggested 
modification. Business associates do not have their own health care 
operations (see the definition of health care operations at Sec.  
164.501, which is limited to activities of the covered entity). While a 
business associate does not have health care operations, it is 
permitted by Sec.  164.504(e)(2)(i)(A) to use and disclose protected 
health information as necessary for its own management and 
administration if the business associate agreement permits such 
activities, or to carry out its legal responsibilities. Other than the 
exceptions for the business associate's management and administration 
and for data aggregation services relating to the health care 
operations of the covered entity, the business associate may not use or 
disclose protected health information in a manner that would not be 
permissible if done by the covered entity (even if such a use or 
disclosure is permitted by the business associate agreement).
    Comment: One commenter suggested requiring subcontractors to return 
or destroy all protected health information received from or created 
for a business associate when the contract with the business associate 
is terminated.
    Response: The final rule at Sec.  164.504(e)(5) does apply the 
requirements at Sec.  164.504(e)(2) through (4) (which set forth the 
requirements for agreements between covered entities and their business 
associates) to agreements between business associates and their 
subcontractors. This includes Sec.  164.504(e)(2)(ii)(J), which 
requires the business associate to return or destroy all protected 
health information received from, or created or received on behalf of, 
the covered entity at the termination of the contract, if feasible. 
When this requirement is applied to the agreement between the business 
associate and its business associate subcontractor, the effect is a 
contractual obligation for the business associate subcontractor to 
similarly return or destroy protected health information at the 
termination of the contract, if feasible.
    Comment: One commenter suggested requiring a business associate to 
disclose all subcontractors of the business associate to a covered 
entity within thirty days of the covered entity's request.
    Response: The Department declines to adopt this suggestion as a 
requirement of the HIPAA Rules, because such a requirement would impose 
an undue disclosure burden on business associates. However, covered 
entities and business associates may include additional terms and 
conditions in their contracts beyond those required by Sec.  164.504.
    Comment: One commenter suggested establishing a certification 
process of business associates and subcontractors with regard to HIPAA 
compliance.
    Response: The Department declines to establish or endorse a 
certification process for HIPAA compliance for business associates and 
subcontractors. Business associates and subcontractors are free to 
enlist the services of outside entities to assess their compliance with 
the HIPAA Rules and certification may be a useful compliance tool for 
entities, depending on the rigor of the program. However, certification 
does not guarantee compliance and therefore ``certified'' entities may 
still be subject to enforcement by OCR.
    Comment: One commenter requested clarification on when it is not 
feasible for a business associate to terminate a contract with a 
subcontractor.
    Response: Whether it is feasible for a business associate to 
terminate an agreement with a business associate subcontractor is a 
very fact-specific inquiry that must be examined on a case-by-case 
basis. For example, termination is not feasible for a business 
associate with regard to a subcontractor relationship where there are 
no other viable business alternatives for the business associate (when 
the subcontractor, for example, provides a unique service that is 
necessary for the business associate's operations). See our prior 
guidance on this issue as it applies to covered entities and business 
associates in Frequently Asked Question 236, available at 
https://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/236.html.
c. Section 164.532--Transition Provisions
Proposed Rule
    We understand that covered entities and business associates are 
concerned with the anticipated administrative burden and cost to 
implement the revised business associate agreement provisions of the 
Privacy and Security Rules. Covered entities may have existing 
contracts that are not set to terminate or expire until after the 
compliance date of the modifications to the Rules, and we understand 
that a six month compliance period may not provide enough time to 
reopen and renegotiate all contracts. In response to these concerns, we 
proposed to relieve some of the burden on covered entities and business 
associates in complying with the revised business associate provisions 
by adding a transition provision to grandfather certain existing 
contracts for a specified period of time. The Department's authority to 
add the transition provision is set forth in Sec.  160.104(c), which 
allows the Secretary to establish the compliance date for any modified 
standard or implementation specification, taking into account the 
extent of the modification and the time needed to comply with the 
modification. The proposed transition period would prevent rushed and 
hasty changes to thousands of on-going existing business associate 
agreements. We addressed the issue of the business associate transition 
provisions as follows.

[[Page 5603]]

    We proposed new transition provisions at Sec.  164.532(d) and (e) 
to allow covered entities and business associates (and business 
associates and business associate subcontractors) to continue to 
operate under certain existing contracts for up to one year beyond the 
compliance date of the revisions to the Rules. The additional 
transition period would be available to a covered entity or business 
associate if, prior to the publication date of the modified Rules, the 
covered entity or business associate had an existing contract or other 
written arrangement with a business associate or subcontractor, 
respectively, that complied with the prior provisions of the HIPAA 
Rules and such contract or arrangement was not renewed or modified 
between the effective date and the compliance date of the modifications 
to the Rules. The proposed provisions were intended to allow those 
covered entities and business associates with valid contracts with 
business associates and subcontractors, respectively, to continue to 
disclose protected health information to the business associate or 
subcontractor, or to allow the business associate or subcontractor to 
continue to create or receive protected health information on behalf of 
the covered entity or business associate, for up to one year beyond the 
compliance date of the modifications, regardless of whether the 
contract meets the applicable contract requirements in the 
modifications to the Rules. With respect to business associates and 
subcontractors, the proposal would grandfather existing written 
agreements between business associates and subcontractors entered into 
pursuant to Sec.  164.504(e)(2)(ii)(D) (which requires the business 
associate to ensure that its agents with access to protected health 
information agree to the same restrictions and conditions that apply to 
the business associate). The Department proposed to deem such contracts 
to be compliant with the modifications to the Rules until either the 
covered entity or business associate has renewed or modified the 
contract following the compliance date of the modifications, or until 
the date that is one year after the compliance date, whichever is 
sooner.
    In cases where a contract renews automatically without any change 
in terms or other action by the parties (also known as ``evergreen 
contracts''), the Department intended that such evergreen contracts 
would be eligible for the extension and that deemed compliance would 
not terminate when these contracts automatically rolled over. These 
transition provisions would have applied to covered entities and 
business associates only with respect to written contracts or other 
written arrangements as specified above, and not to oral contracts or 
other arrangements.
    These transition provisions would have only applied to the 
requirement to amend contracts; they would not affect any other 
compliance obligations under the HIPAA Rules. For example, beginning on 
the compliance date of this rule, a business associate may not use or 
disclose protected health information in a manner that is contrary to 
the Privacy Rule, even if the business associate's contract with the 
covered entity has not yet been amended.
Overview of Public Comments
    Many commenters supported the 1-year extended timeframe for 
compliance with the business associate agreement provisions. Some 
commenters suggested longer timeframes, citing cost and resource 
limitations. Some commenters suggested that the Department should deem 
compliant all business associate agreements that have been renegotiated 
in good faith to meet the February 2010 effective date of the 
applicable provisions in the HITECH Act. Some commenters suggested that 
the Department recognize as compliant business associate agreements 
with provisions requiring compliance with all applicable laws.
Final Rule
    The final rule adopts the proposal, adding new transition 
provisions at Sec.  164.532(d) and (e) to allow covered entities and 
business associates (and business associates and business associate 
subcontractors) to continue to operate under certain existing contracts 
for up to one year beyond the compliance date of the revisions to the 
Rules.
    We decline to provide a longer time for compliance with the 
business associate agreement provisions. We provided a similar 
transition period for revising agreements in the 2002 modifications to 
the HIPAA Rules, and it was our experience that such time was 
sufficient to ease burden on the entities and allow most agreements to 
be modified at the time they would otherwise come up for renewal or 
renegotiation.
    With respect to those business associate agreements that already 
have been renegotiated in good faith to meet the applicable provisions 
in the HITECH Act, covered entities should review such agreements to 
determine whether they meet the final rule's provisions. If they do 
not, these covered entities then have the transition period to make 
whatever additional changes are necessary to conform to the final rule. 
The transition period is also available to those agreements that 
require compliance with all applicable laws (to the extent the 
agreements were otherwise in compliance with the HIPAA Rules prior to 
this final rule), but that do not fully meet the new requirements in 
this final rule. However, we do not deem such contracts as compliant 
beyond the transition period because they would not sufficiently 
reflect the new requirements.
4. Section 164.508--Uses and Disclosures for Which an Authorization Is 
Required
a. Sale of Protected Health Information
Proposed Rule
    Section 164.508 of the Privacy Rule permits a covered entity to use 
and disclose protected health information for purposes not otherwise 
permitted by the Rule if it has obtained a valid written authorization 
from the individual who is the subject of the information. This section 
also specifies two circumstances in which authorization from the 
individual must be obtained: (1) Most uses and disclosures of 
psychotherapy notes; and (2) uses and disclosures for marketing 
purposes.
    Section 13405(d) of the HITECH Act added a third circumstance that 
requires authorization, specifically the sale of protected health 
information. Section 13405(d)(1) prohibits a covered entity or business 
associate from receiving direct or indirect remuneration in exchange 
for the disclosure of protected health information unless the covered 
entity has obtained an individual's authorization pursuant to Sec.  
164.508 that states whether the protected health information can be 
further exchanged for remuneration by the entity receiving the 
information.
    Section 13405(d)(2) contains several exceptions to the 
authorization requirement for circumstances where the purpose of the 
exchange is for: (1) Public health activities, as described at Sec.  
164.512(b) of the Privacy Rule; (2) research purposes as described at 
Sec. Sec.  164.501 and 164.512(i) of the Rule, if the price charged for 
the information reflects the cost of preparation and transmittal of the 
data; (3) treatment of the individual; (4) the sale, transfer, merger 
or consolidation of all or part of a covered entity and for related due 
diligence; (5) services rendered by a business associate pursuant to a

[[Page 5604]]

business associate agreement and at the specific request of the covered 
entity; (6) providing an individual with access to his or her protected 
health information pursuant to Sec.  164.524; and (7) other purposes as 
the Secretary deems necessary and appropriate by regulation. Section 
13405(d)(4) of the Act provides that the prohibition on sale of 
protected health information applies to disclosures occurring six 
months after the date of the promulgation of the final regulations 
implementing this section.
    To implement section 13405(d) of the HITECH Act, we proposed to add 
a general rule at Sec.  164.508(a)(4) requiring a covered entity to 
obtain an authorization for any disclosure of protected health 
information in exchange for direct or indirect remuneration from or on 
behalf of the recipient of the information and to require that the 
authorization state that the disclosure will result in remuneration to 
the covered entity. Consistent with the HITECH Act, the NPRM proposed 
to exclude several disclosures of protected health information made in 
exchange for remuneration from this general rule. As provided in the 
Act, these requirements would also apply to business associates of 
covered entities.
    In the NPRM we did not include language at Sec.  164.508(a)(4) to 
require that the authorization under Sec.  164.508 specify whether the 
protected health information disclosed by the covered entity for 
remuneration could be further exchanged for remuneration by the entity 
receiving the information. The statute refers to obtaining a valid 
authorization that includes a remuneration statement in accordance with 
Sec.  164.508. The remuneration statement required by Sec.  164.508 is 
whether remuneration will be received by the covered entity with 
respect to the disclosures subject to the authorization. This puts the 
individual on notice that the disclosure involves remuneration and 
thus, enables the individual to make an informed decision as to whether 
to sign the authorization. Thus, we interpreted the statute to mean 
that the authorization must include a statement that the covered entity 
is receiving direct or indirect remuneration in exchange for the 
protected health information. We note that these exact words do not 
need to be used in the statement. We provide discretion for covered 
entities to craft appropriate language that reflects, for example, the 
specific type of remuneration they receive. As we explained in the 
NPRM, with respect to the recipient of the information, if protected 
health information is disclosed for remuneration by a covered entity or 
business associate to another covered entity or business associate in 
compliance with the authorization requirements at proposed Sec.  
164.508(a)(4)(i), the recipient covered entity or business associate 
could not redisclose the protected health information in exchange for 
remuneration unless a valid authorization was obtained in accordance 
with proposed Sec.  164.508(a)(4)(i). We requested comment on these 
provisions.
    At proposed Sec.  164.508(a)(4)(ii), we set forth the exceptions to 
the authorization requirement. We proposed the exceptions provided for 
by section 13405(d)(2) of the HITECH Act, and also proposed to exercise 
the authority granted to the Secretary in section 13405(d)(2)(G) to 
include additional exceptions that we deemed to be similarly necessary 
and appropriate. These exceptions are discussed below. We requested 
comment on whether there were additional exceptions that should be 
included in the final regulation.
    First, we proposed to include an exception to cover exchanges for 
remuneration for public health activities pursuant to Sec. Sec.  
164.512(b) or 164.514(e). We added the reference to Sec.  164.514(e) of 
the Privacy Rule to ensure that disclosures of protected health 
information for public health activities in limited data set form would 
also be excepted from the authorization requirement, in addition to 
disclosures that may occur under Sec.  164.512(b) with more 
identifiable information. With respect to the exception for public 
health disclosures, section 13405(d)(3)(A) of the HITECH Act requires 
that the Secretary evaluate the impact on public health activities of 
restricting this exception to require that the price charged for the 
data reflects only the costs of preparation and transmittal of the 
data, including those conducted by or for the use of the Food and Drug 
Administration (FDA). Section 13405(d)(3)(B) further provides that if 
the Secretary finds that such further restriction will not impede 
public health activities, the restriction may then be included in the 
regulations. We did not propose to include such a restriction on 
remuneration in the Rule, but requested public comment to assist us in 
evaluating the impact of doing so.
    The NPRM also included an exception for disclosures of protected 
health information for research purposes, pursuant to Sec. Sec.  
164.512(i) or 164.514(e), in exchange for which the covered entity 
receives only a reasonable, cost based fee to cover the cost to prepare 
and transmit the information for research purposes. Like the public 
health exception, we proposed to add a reference to Sec.  164.514(e) to 
ensure that this exception would also apply to the disclosure of 
protected health information in limited data set form for research 
purposes. We requested public comment on the types of costs that should 
be permitted under this provision.
    We proposed to create an exception from the authorization 
requirement for disclosures of protected health information for 
treatment and payment purposes. Though the Act only addressed 
treatment, we proposed to also except disclosures for payment for 
health care from the remuneration prohibition to make clear that the 
exchange of protected health information to obtain ``payment,'' as such 
term is defined in the Privacy Rule at Sec.  164.501, would not be 
considered a sale of protected health information.
    Consistent with section 13405(d)(2)(D) of the HITECH Act, we 
proposed to except from the authorization requirement disclosures 
described in paragraph (6)(iv) of the definition of health care 
operations at Sec.  164.501, that is, disclosures for the sale, 
transfer, merger, or consolidation of all or part of a covered entity, 
or an entity that following such activity will become a covered entity, 
and due diligence related to such activity.
    We proposed to provide an exception from the authorization 
requirement for disclosures of protected health information to or by a 
business associate for activities that the business associate 
undertakes on behalf of a covered entity pursuant to Sec. Sec.  
164.502(e) and 164.504(e) of the Privacy Rule, as long as the only 
remuneration provided is by the covered entity to the business 
associate for the performance of such activities. This exception would 
exempt from the authorization requirement at Sec.  164.508(a)(4)(i) a 
disclosure of protected health information by a covered entity to a 
business associate or by a business associate to a third party on 
behalf of the covered entity as long as any remuneration received by 
the business associate was for the activities performed by the business 
associate pursuant to a business associate contract.
    We proposed to except from the authorization requirement 
disclosures of protected health information by a covered entity to an 
individual when requested under Sec. Sec.  164.524 (providing a right 
to access protected health information) or 164.528 (providing a right 
to receive an accounting of

[[Page 5605]]

disclosures). While section 13405(d)(2)(F) of the HITECH Act explicitly 
refers only to disclosures under Sec.  164.524, we exercised our 
authority under section 13405(d)(2)(G) of the HITECH Act to likewise 
include in the exception disclosures to the individual under Sec.  
164.528. Section 164.524 permits a covered entity to impose a 
reasonable, cost-based fee for the provision of access to an 
individual's protected health information upon request. Section 164.528 
requires a covered entity to provide a requesting individual with an 
accounting of disclosures without charge in any 12-month period but 
permits a covered entity to impose a reasonable, cost-based fee for 
each subsequent request for an accounting of disclosures during that 
12-month period. Therefore, a disclosure of protected health 
information under Sec.  164.528 is similar to a disclosure under Sec.  
164.524 in that a covered entity may be paid a fee for making the 
disclosure.
    Pursuant to the authority granted to the Secretary in section 
13405(d)(2)(G) of the HITECH Act, we proposed an additional exception 
for disclosures that are required by law as permitted under Sec.  
164.512(a) of the Privacy Rule.
    Finally, we proposed an exception, pursuant to the authority 
granted to the Secretary in section 13405(d)(2)(G), for disclosures of 
protected health information for any other purpose permitted by and in 
accordance with the applicable requirements of the Privacy Rule, as 
long as the only remuneration received by the covered entity is a 
reasonable, cost based fee to cover the cost to prepare and transmit 
the protected health information for such purpose or is a fee otherwise 
expressly permitted by other law. We proposed this exception to ensure 
that the authorization requirement would not deter covered entities 
from disclosing protected health information for permissible purposes 
under the Privacy Rule just because they routinely receive payment 
equal to the cost of preparing, producing, and transmitting the 
protected health information. We emphasized that this proposed 
exception would not apply if a covered entity received remuneration 
above the actual cost incurred to prepare, produce, and transmit the 
protected health information for the permitted purpose, unless such fee 
is expressly permitted by other law.
    As explained in the NPRM, we recognize that many States have laws 
in place to limit the fees a health care provider can charge to 
prepare, copy, and transmit medical records. Under these laws, there is 
great variation regarding the types of document preparation activities 
for which a provider can charge as well as the permissible fee 
schedules for such preparation activities. Some States simply require 
any reasonable costs incurred by the provider in making copies of the 
medical records to be paid for by the requesting party, while other 
States set forth specific cost limitations with respect to retrieval, 
labor, supplies, and copying costs and allow charges equal to actual 
mailing or shipping costs. Many of these State laws set different cost 
limitations based on the amount and type of information to be provided, 
taking into account whether the information is in paper or electronic 
form as well as whether the requested material includes x-rays, films, 
disks, tapes, or other diagnostic imaging. The proposed exception would 
permit recoupment of fees expressly permitted by these other laws.
Overview of Public Comments
    Many commenters asked for clarification on the scope of activities 
that constitute a ``sale of protected health information.'' Several of 
these commenters asked that the final rule include a definition of 
``sale of protected health information'' and argued that the proposed 
language at Sec.  164.508(a)(4) was too broad and had the potential to 
capture a number of activities that should not constitute a ``sale'' of 
protected health information. Commenters made a variety of suggestions 
in this regard, including suggesting that a definition of sale should 
focus on the transfer of ownership of protected health information and 
thus exclude disclosures pursuant to an access agreement, license, or 
lease that appropriately limits a recipient's uses or disclosures of 
the information; or that a definition of sale should more clearly 
capture those disclosures where remuneration is provided in exchange 
for protected health information, rather than all disclosures that may 
involve remuneration. A number of commenters were concerned that fees 
paid for services or programs that involve the disclosure of protected 
health information but that are not fees to purchase the data 
themselves nonetheless would turn such disclosure into a sale of 
protected health information. For example, some commenters were 
concerned that the disclosure of research results to a research sponsor 
would be a sale of protected health information because the sponsor 
paid the covered entity for its services in conducting the research 
study or project. Other commenters expressed concern about the 
authorization requirements for the sale of protected health information 
applying to programs for which a covered entity receives funding and, 
as a condition of that funding, is required to report data, such as 
under the Medicare and Medicaid incentive payment programs for 
meaningful users of certified electronic health record technology and 
certain State grant programs. A few commenters were concerned that the 
exchange of protected health information through a health information 
exchange (HIE) that is paid for through fees assessed on HIE 
participants could be considered sale of protected health information.
    Commenters also asked for clarification on the meaning and scope of 
the term ``direct and indirect remuneration,'' and some were 
particularly concerned that ``indirect remuneration'' meant 
nonfinancial benefits provided in exchange for protected health 
information could turn a disclosure into a sale of protected health 
information. Some commenters stated that prohibiting the receipt of 
indirect remuneration or nonfinancial benefits may eliminate any 
incentive for covered entities to participate in certain collaborative 
research or quality activities, in which covered entities contribute 
data to a centralized database to create aggregate data sets and in 
return may receive a number of nonfinancial benefits, such as the 
ability to use the aggregated information for research or access to 
quality assurance/quality improvement tools. Certain commenters argued 
that the term indirect in the statute modifies the ``receipt'' of 
remuneration (i.e., that the statute also applies to the situation 
where the remuneration is provided by a third party on behalf of the 
recipient of the protected health information) and not the type of 
remuneration.
    The public health exception to the remuneration prohibition 
received a significant amount of support from commenters. Several 
commenters expressed specific support for the proposal to expand the 
exception to also apply to disclosures of limited data sets for public 
health purposes. With respect to the request for comment on the impact 
of restricting this exception to require that the price charged for the 
data reflects on the costs of preparing and transmitting the data, 
commenters were generally opposed to imposing such a restriction. 
Commenters stated that it may be difficult and burdensome to determine 
if some of a covered entity's routine public health reporting involve 
any type of remuneration and

[[Page 5606]]

that a cost-based restriction on remuneration would discourage and 
impede covered entities from making important public health 
disclosures. One commenter was opposed to the public health exception 
altogether, stating that it is a privacy loophole that eliminates 
consumer control over their protected health information.
    Many respondents to the proposed sale prohibition commented on the 
proposed exception for research. While most commenters supported 
including an exception for research disclosures, including disclosures 
of limited data sets for research, many argued that the exception 
should not be limited to the receipt of a reasonable cost-based fee to 
prepare and transmit the data as such a fee limitation could impede 
important research efforts. A number of commenters specifically opposed 
imposing a fee limitation on the disclosure of limited data sets. If a 
fee limitation were retained, commenters argued that it should be 
broadly construed. The majority of commenters on this issue supported 
the proposed exceptions to the remuneration prohibition for treatment 
and health care payment purposes, as necessary so as not to impede 
these core health care functions. Overall, support was also expressed 
by those who commented on the exception for the sale, transfer, merger, 
or consolidation of a covered entity. Further, commenters generally 
agreed that a covered entity should be permitted to disclose protected 
health information without individual authorization as required by law, 
even if remuneration is received in exchange for the disclosure.
    Commenters also submitted a number of comments and questions 
regarding the ability of business associates to receive fees under both 
the proposed exception specifically for fees paid by a covered entity 
to a business associate and the general exception that would allow a 
covered entity to receive a reasonable, cost-based fee to cover the 
costs to prepare and transmit the data or a fee otherwise expressly 
permitted by other law for any disclosure permitted by the Privacy 
Rule. While commenters generally supported these exceptions, commenters 
were concerned that these exceptions appeared not to cover the common 
situation where a business associate, rather than the covered entity, 
receives remuneration from a third party for making a permitted 
disclosure under the Privacy Rule. For example, a number of commenters 
stated that covered entities often outsource to release of information 
(ROI) vendors the processing of requests for copies of medical records 
from third parties and that these vendors and not the covered entities 
bill for the reasonable costs of providing the records to the 
requestors. Commenters asked that the final rule clarify that business 
associates can continue to receive payment of costs from third parties 
for providing this service on behalf of covered entities. Another 
commenter requested that the final rule clarify that the exception for 
remuneration to a business associate for activities performed on behalf 
of a covered entity also applies to remuneration received by 
subcontractors performing services on behalf of business associates.
    Finally, several commenters also responded to the proposed rule's 
request for comment on the general exception at Sec.  
164.508(a)(4)(ii)(H) by suggesting costs that they believed should be 
permitted, including but not limited to costs for: preparing, 
producing, and transmitting protected health information; retrieval, 
labor, supplies, and copying costs; personnel and overhead costs; 
investments and indirect costs; and any costs that are in compliance 
with State law.
Final Rule
    The final rule adopts the HITECH Act's prohibition on the sale of 
protected health information but makes certain changes to the 
provisions in the proposed rule to clarify the scope of the provisions 
and otherwise address certain of commenters' concerns. First, we have 
moved the general prohibition on the sale of protected health 
information by a covered entity or business associate to Sec.  
164.502(a)(5)(ii) and created a definition of ``sale of protected 
health information.'' Numerous commenters requested that the Privacy 
Rule include a definition of sale to better clarify what types of 
transactions fall within the scope of the provisions. Accordingly, 
Sec.  164.502(a)(5)(ii)(B)(1) defines ``sale of protected health 
information'' to generally mean ``a disclosure of protected health 
information by a covered entity or business associate, if applicable, 
where the covered entity or business associate directly or indirectly 
receives remuneration from or on behalf of the recipient of the 
protected health information in exchange for the protected health 
information.'' Section 164.502(a)(5)(ii)(B)(2) then excludes from the 
definition the various exceptions that were in the proposed rule 
(discussed further below).
    We do not limit a ``sale'' to those transactions where there is a 
transfer of ownership of protected health information as some 
commenters suggested. The HITECH Act does not include such a limitation 
and the Privacy Rule rights and protections apply to protected health 
information without regard to ownership interests over the data. Thus, 
the sale provisions apply to disclosures in exchange for remuneration 
including those that are the result of access, license, or lease 
agreements.
    In addition, we do not consider sale of protected health 
information in this provision to encompass payments a covered entity 
may receive in the form of grants, or contracts or other arrangements 
to perform programs or activities, such as a research study, because 
any provision of protected health information to the payer is a 
byproduct of the service being provided. Thus, the payment by a 
research sponsor to a covered entity to conduct a research study is not 
considered a sale of protected health information even if research 
results that may include protected health information are disclosed to 
the sponsor in the course of the study. Further, the receipt of a grant 
or funding from a government agency to conduct a program is not a sale 
of protected health information, even if, as a condition of receiving 
the funding, the covered entity is required to report protected health 
information to the agency for program oversight or other purposes. 
(Certain of these disclosures would also be exempt from the sale 
requirements, depending on whether the requirement to report data was 
included in regulation or other law.) Similarly, we clarify that the 
exchange of protected health information through a health information 
exchange (HIE) that is paid for through fees assessed on HIE 
participants is not a sale of protected health information; rather the 
remuneration is for the services provided by the HIE and not for the 
data itself. (Such disclosures may also be exempt from these provisions 
under the exception for disclosures to or by a business associate that 
is being compensated by a covered entity for its services.) In 
contrast, a sale of protected health information occurs when the 
covered entity primarily is being compensated to supply data it 
maintains in its role as a covered entity (or business associate). 
Thus, such disclosures require the individual's authorization unless 
they otherwise fall within an exception at Sec.  
164.502(a)(5)(ii)(B)(2). For example, a disclosure of protected health 
information by a covered entity to a third party researcher that is 
conducting the research in exchange for remuneration would fall within 
these provisions, unless the only

[[Page 5607]]

remuneration received is a reasonable, cost-based fee to cover the cost 
to prepare and transmit the data for such purposes (see below).
    In response to questions by commenters, we also clarify the scope 
of the term ``remuneration.'' The statute uses the term 
``remuneration,'' and not ``payment,'' as it does in the marketing 
provisions at section 13406(a). Because the statute uses different 
terms, we do not believe that remuneration as applied to the sale 
provisions is limited to financial payment in the same way it is so 
limited in the marketing provisions. Thus, the prohibition on sale of 
protected health information applies to the receipt of nonfinancial as 
well as financial benefits. In response to commenters who indicated 
that the statute's terms ``direct and indirect'' apply to how the 
remuneration is received rather than the remuneration itself, we agree 
and have moved the terms in the definition to further make clear that 
the provisions prohibit the receipt of remuneration not only from the 
third party that receives the protected health information but also 
from another party on behalf of the recipient of the protected health 
information. However, this does not change the scope of the term 
``remuneration.'' As discussed above, we interpret the statute to mean 
that nonfinancial benefits are included in the prohibition. Thus, a 
covered entity or business associate may not disclose protected health 
information in exchange for in kind benefits, unless the disclosure 
falls within one of the exceptions discussed below. Consider, for 
example, a covered entity that is offered computers in exchange for 
disclosing protected health information. The provision of protected 
health information in exchange for the computers would not be 
considered a sale of protected health information if the computers were 
solely used for the purpose of preparing and transmitting protected 
health information to the person collecting it and were returned when 
such disclosure was completed. However, if the covered entity is 
permitted to use the computers for other purposes or to keep the 
computers even after the disclosures have been made, then the covered 
entity has received in kind remuneration in exchange for the protected 
health information above what is needed to make the actual disclosures.
    We retain in the final rule the broad exception for disclosures for 
public health purposes made pursuant to Sec. Sec.  164.512(b) and 
164.514(e). Based on the concerns from the public comment that 
narrowing the exception could discourage voluntary public health 
reporting, we do not limit the exception to only those disclosures 
where all the covered entity receives as remuneration is a cost-based 
fee to cover the cost to prepare and transmit the data.
    With respect to the exception for research disclosures, the final 
rule adopts the language as proposed, including the cost-based fee 
limitation provided for in the HITECH Act. Thus, disclosures for 
research purposes are excepted from the remuneration prohibition to the 
extent that the only remuneration received by the covered entity or 
business associate is a reasonable cost-based fee to cover the cost to 
prepare and transmit the protected health information for such 
purposes. We do not remove the fee limitation as requested by some 
commenters; the statutory language included in Section 13405(d)(2)(B) 
of the HITECH Act clearly states that any remuneration received in 
exchange for research disclosures must reflect only the cost of 
preparation and transmittal of the data for such purpose.
    In response to comments about the types of costs that are permitted 
in the reasonable cost-based fee to prepare and transmit the data, we 
clarify that this may include both direct and indirect costs, including 
labor, materials, and supplies for generating, storing, retrieving, and 
transmitting the protected health information; labor and supplies to 
ensure the protected health information is disclosed in a permissible 
manner; as well as related capital and overhead costs. However, fees 
charged to incur a profit from the disclosure of protected health 
information are not allowed. We believe allowing a profit margin would 
not be consistent with the language contained in Section 13405 of the 
HITECH Act. We intend to work with the research community to provide 
guidance and help the research community reach a common understanding 
of appropriate cost-based limitations on remuneration.
    We retain the exceptions proposed for treatment and payment 
disclosures without modification and agree with commenters that these 
exceptions are necessary to make clear that these core health care 
functions may continue. Similarly, we retain the exception to the 
remuneration prohibition for disclosures for the transfer, merger, or 
consolidation of all or part of a covered entity with another covered 
entity, or an entity that following such activity will become a covered 
entity, and related due diligence, to ensure that such disclosures may 
continue to occur in accordance with the Privacy Rule. We retain the 
proposed exception for disclosures that are otherwise required by law 
to ensure a covered entity can continue to meet its legal obligations 
without imposing an authorization requirement. We also retain the 
exception for disclosures to the individual to provide the individual 
with access to protected health information or an accounting of 
disclosures, where the fees charged for doing so are in accord with the 
Privacy Rule.
    We adopt the exceptions for remuneration paid by a covered entity 
to a business associate for activities performed on behalf of a covered 
entity, as well as the general exception permitting a covered entity to 
receive remuneration in the form of a reasonable, cost-based fee to 
cover the cost to prepare and transmit the protected health information 
for any disclosure otherwise permitted by the Privacy Rule. However, we 
make a number of clarifications to address commenters questions and 
concerns regarding the ability of a business associate rather than a 
covered entity to receive the permitted remuneration. First, we add the 
term ``business associate'' in the general exception permitting 
reasonable, cost-based fees to prepare and transmit data (or fees 
permitted by State laws) to make clear that business associates may 
continue to recoup fees from third party record requestors for 
preparing and transmitting records on behalf of a covered entity, to 
the extent such fees are reasonable, cost-based fees to cover the cost 
to prepare and transmit the protected health information or otherwise 
expressly permitted by other law. Second, we clarify in the business 
associate exception that the exception would also cover remuneration by 
a business associate to its subcontractor for activities performed by 
the subcontractor on behalf of the business associate. Finally, we add 
the term ``business associate'' to the general prohibition on sale of 
protected health information for consistency, even though, without the 
addition, a business associate still would not be permitted to sell 
protected health information as a business associate may generally only 
make uses and disclosures of protected health information in manners in 
which a covered entity would be permitted under the Privacy Rule.
    With respect to the types of costs that would be permitted as part 
of a reasonable, cost-based fee under this provision, we clarify that 
the final rule permits the same types of costs under this exception as 
the research exception, as well as costs that are in compliance with a 
fee schedule provided by State

[[Page 5608]]

law or otherwise expressly permitted by other applicable law. Thus, 
costs may include the direct and indirect costs to prepare and transmit 
the data, including labor, materials, and supplies, but not a profit 
margin. We intend to continue to work with interested stakeholders to 
develop more guidance on direct and indirect costs and on remuneration.
Response to Other Public Comments
    Comment: Several commenters suggested that we make clear in the 
final rule that redisclosures of information by a recipient covered 
entity or business associate even for remuneration that are set forth 
in the original authorization are not restricted by this provision. 
Another commenter argued that the original authorization form should 
indicate whether the recipient of the protected health information will 
further exchange the information for remuneration.
    Response: It is expected to be the usual case that if a covered 
entity or business associate that receives protected health information 
in exchange for remuneration wishes to further disclose that 
information in exchange for remuneration, then an additional 
authorization in accordance with Sec.  164.508 must be obtained because 
such disclosures will not be encompassed by the original authorization. 
However, it may be possible that redisclosures of information for 
remuneration by a recipient covered entity or business associate do not 
require an additional authorization, provided it is sufficiently clear 
to the individual in the original authorization that the recipient 
covered entity or business associate will further disclose the 
individual's protected health information in exchange for remuneration. 
In response to the commenter that argued that the original 
authorization form should indicate whether the recipient of the 
protected health information will further exchange the information for 
remuneration, as explained above we believe the language included in 
Section 13405 of the HITECH Act was to alert the individual as to 
whether the disclosures he or she was authorizing at the time involved 
remuneration. Where the recipient of protected health information 
pursuant to an authorization is a third party that is not a covered 
entity or business associate, we do not have authority to require that 
entity to disclose to the disclosing covered entity or business 
associate whether it plans to further exchange the protected health 
information for remuneration for purposes of including such information 
on the authorization form. However, covered entities that are informed 
of such information may include it on the authorization form if they 
wish to. In any event, the Privacy Rule retains the requirement that an 
authorization inform the individual of the potential for information 
disclosed pursuant to the authorization to be subject to redisclosure 
by the recipient and to no longer be subject to the Privacy Rule.
    Comment: Several commenters asked for clarification on the effect 
the final rule will have on existing research efforts and some 
suggested that HHS should grandfather in all Privacy Rule 
authorizations for research obtained under existing law before the 
effective date of the final rule. These commenters believed addressing 
current research would be necessary to ensure the rule would not 
frustrate ongoing research efforts.
    Response: We agree that ongoing research studies that are based on 
a prior permission under the Privacy Rule for the research use or 
disclosure of protected health information should be grandfathered so 
as not to disrupt these ongoing studies. We have added a reference to 
the authorization requirements that apply to the sale of protected 
health information at Sec.  164.508(a)(4) to make clear that the 
transition provisions in Sec.  164.532 apply to permissions existing 
prior to the applicable compliance date of the Rule. Thus, a covered 
entity may continue to rely on an authorization obtained from an 
individual prior to the compliance date even if remuneration is 
involved but the authorization does not indicate that the disclosure is 
in exchange for remuneration. This would apply to authorizations for 
any permissible purpose under the Rule and not just for research 
purposes. Further, in the research context, where a covered entity 
obtained documentation of a waiver of authorization from an 
Institutional Review Board or Privacy Board prior to the compliance 
date for this final rule, the covered entity may continue to rely on 
that documentation to release protected health information to a 
researcher, even if the covered entity receives remuneration in the 
form of more than a reasonable, cost based fee to prepare and transmit 
the data. Finally, we also provide at new Sec.  164.532(f) that a 
covered entity may continue to use or disclose a limited data set in 
accordance with an existing data use agreement that meets the 
requirements of Sec.  164.514(e), including for research purposes, 
until the data use agreement is renewed or modified or until one year 
from the compliance date of this final rule, whichever is earlier, even 
if such disclosure would otherwise constitute a sale of protected 
health information upon the effective date of this rule.
    Comment: Some commenters were concerned that the sale prohibition 
would apply to a covered entity's sale of accounts receivable including 
protected health information to a collection agency, arguing that such 
disclosures should remain permissible without authorization as a 
payment disclosure.
    Response: Disclosures of protected health information for payment 
collection activities are permitted without authorization as a payment 
disclosure under the Privacy Rule (see Sec. Sec.  164.501 and 
164.506(a)) and thus, are excepted from the remuneration prohibition at 
Sec.  164.502(a)(5)(ii)(B)(2)(iii).
    Comment: A few commenters asked that the final rule clarify that 
transfers of value among entities under common control does not 
implicate the authorization requirements. Similarly, some commenters 
sought clarification on whether business transfers on the books for 
internal reorganization would also be excluded under the transfer, 
merger, and consolidation exception to the final rule.
    Response: First, we clarify that uses of protected health 
information within a covered entity that is a single legal entity are 
not implicated by the remuneration prohibition as the prohibition 
applies only to disclosures outside of a covered entity. Second, the 
use of protected health information among legally separate covered 
entities under common ownership or control that have designated 
themselves as an affiliated covered entity (i.e., a single covered 
entity for purposes of compliance with the HIPAA Rules) is not 
implicated. See the requirements for affiliated covered entities at 
Sec.  164.105(b). Thus, to the extent that what the commenters 
contemplate is an otherwise permissible use of protected health 
information within a single legal entity that is a covered entity or an 
affiliated covered entity, such use of data is not impacted by these 
provisions. Third, disclosures of protected health information for the 
sale, transfer, merger, or consolidation of all or part of a covered 
entity with another covered entity, or with an entity that following 
such activity will become a covered entity and due diligence related to 
such activity are excepted from the definition of sale of protected 
health information at Sec.  164.502(a)(5)(ii)(B)(2)(iv).
    Comment: Some commenters expressed concern over the role the

[[Page 5609]]

Institutional Review Board will play in determining reasonable costs, 
and several commenters asked that the final rule clarify that the 
Institutional Review Board is not responsible for making a 
determination regarding the permissibility of the fees paid in exchange 
for a disclosure of protected health information for research purposes.
    Response: We clarify that a covered entity, or business associate 
if applicable, is responsible for determining whether any fees paid to 
the entity in exchange for protected health information covers the 
covered entity's or business associate's costs to prepare and transmit 
protected health information for research.
    Comment: A few commenters sought clarification on how to 
differentiate access to protected health information from access to 
statistical data, particularly when remuneration is provided for access 
to a database but the party is solely interested in a population study, 
not an individual's protected health information.
    Response: Disclosures of health information that has been de-
identified in accordance with the Privacy Rule at Sec.  164.514(b)-(d) 
are not subject to the remuneration prohibition as such information is 
not protected health information under the Rule. However, a covered 
entity that allows a third party access to a database containing 
protected health information in exchange for remuneration is subject to 
these provisions unless an exception applies (e.g., the remuneration 
received is limited to a reasonable, cost-based fee to prepare and make 
available the data).
    Comment: A number of commenters argued that limited data sets 
should be exempted entirely from the remuneration prohibition because 
they are not fully identifiable data sets and are subject to 
protections under data use agreements.
    Response: We decline to completely exempt limited data sets from 
these provisions as, unlike de-identified data, they are still 
protected health information. However, disclosures of limited data sets 
for purposes permitted under the Rule would be exempt from the 
authorization requirements to the extent the only remuneration received 
in exchange for the data is a reasonable, cost-based fee to prepare and 
transmit the data or a fee otherwise expressly permitted by other law. 
We also provide at new Sec.  164.532(f) that a covered entity may 
continue to use or disclose a limited data set in accordance with an 
existing data use agreement that meets the requirements of Sec.  
164.514(e), including for research purposes, until the data use 
agreement is renewed or modified or until one year from the compliance 
date of this final rule, whichever is earlier, even if such disclosure 
would otherwise constitute a sale of protected health information upon 
the effective date of this rule.
b. Research
i. Compound Authorizations
Proposed Rule
    Section 164.508(b)(4) of the Privacy Rule prohibits covered 
entities from conditioning treatment, payment, enrollment in a health 
plan, or eligibility for benefits on the provision of an authorization. 
This limitation is intended to ensure that authorization from an 
individual for a use or disclosure of protected health information is 
voluntarily provided. However, there are exceptions to this general 
rule for certain circumstances, including in the research context, 
where a covered entity may condition the provision of research-related 
treatment, such as in a clinical trial, on obtaining the individual's 
authorization for the use or disclosure of protected health information 
for such research. Permitting the use of protected health information 
is part of the decision to receive care through a clinical trial, and 
health care providers conducting such trials are able to condition 
research-related treatment on the individual's willingness to authorize 
the use or disclosure of protected health information for research 
associated with the trial.
    Section 164.508(b)(3) generally prohibits what are termed 
``compound authorizations,'' i.e., where an authorization for the use 
and disclosure of protected health information is combined with any 
other legal permission. However, Sec.  164.508(b)(3)(i) carves out an 
exception to this general prohibition, permitting the combining of an 
authorization for a research study with any other written permission 
for the same study, including another authorization or informed consent 
to participate in the research. Nonetheless, Sec.  164.508(b)(3)(iii) 
prohibits combining an authorization that conditions treatment, 
payment, enrollment in a health plan, or eligibility for benefits 
(conditioned authorization) with an authorization for another purpose 
for which treatment, payment, enrollment, or eligibility may not be 
conditioned (unconditioned authorization). This limitation on certain 
compound authorizations was intended to help ensure that individuals 
understand that they may decline the activity described in the 
unconditioned authorization yet still receive treatment or other 
benefits or services by agreeing to the conditioned authorization.
    The impact of these authorization requirements and limitations can 
be seen during clinical trials that are associated with a corollary 
research activity, such as when protected health information is used or 
disclosed to create or to contribute to a central research database or 
repository. For example, Sec.  164.508(b)(3)(iii) prohibits covered 
entities from obtaining a single authorization for the use or 
disclosure of protected health information for a research study that 
includes both treatment as part of a clinical trial and tissue banking 
of specimens (and associated protected health information) collected, 
since the individual generally must sign the authorization for the use 
of his or her protected health information in the clinical trial in 
order to receive the research-related treatment (conditioned 
authorization) but whether the individual also signs the tissue banking 
authorization is completely voluntary and will not affect the 
individual receiving the research-related treatment (unconditioned 
authorization). Thus, covered entities must obtain separate 
authorizations from research participants for a clinical trial that 
also collects specimens with associated protected health information 
for a central repository.
    As stated in the NPRM, various groups, including researchers and 
professional organizations, have expressed concern at this lack of 
integration. A number of persons in the research community have stated 
that requiring separate forms for these corollary research activities 
is inconsistent with current practice under the Common Rule (45 CFR 
Part 46) with respect to obtaining informed consent and creates 
unnecessary documentation burdens. Persons have also indicated that the 
multiple authorization forms are potentially confusing to research 
subjects and/or may dissuade them altogether from participating in a 
clinical trial, and that redundant information on the forms diverts an 
individual's attention from other content that describes how and why 
the personal health information may be used. In light of these 
concerns, the Secretary's Advisory Committee on Human Research 
Protections in 2004 (Recommendation V, in a letter to the Secretary of 
HHS, available at https://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html), as well as the Institute of Medicine in 
its 2009 Report, ``Beyond the HIPAA Privacy Rule: Enhancing Privacy, 
Improving Health Through Research''

[[Page 5610]]

(Recommendation II.B.2), made specific recommendations to allow 
combined authorizations for clinical trials and biospecimen storage.
    To address these concerns and streamline the process in the Privacy 
Rule for obtaining an individual's authorization for research, we 
proposed to amend Sec.  164.508(b)(3)(i) and (iii) to allow a covered 
entity to combine conditioned and unconditioned authorizations for 
research, provided that the authorization clearly differentiates 
between the conditioned and unconditioned research components and 
clearly allows the individual the option to opt in to the unconditioned 
research activities. These provisions would allow covered entities to 
combine authorizations for the use and disclosure of protected health 
information for clinical trials and related biospecimen banking 
activities, as well as other scenarios that often occur in research 
studies.
    While we did not propose to alter the core elements or required 
statements integral to a valid authorization, we stated that covered 
entities would have some flexibility with respect to how they met the 
authorization requirements. For example, covered entities could 
facilitate an individual's understanding of a compound authorization by 
describing the unconditioned research activity on a separate page of a 
compound authorization and could also cross-reference relevant sections 
of a compound authorization to minimize the potential for redundant 
language. In addition, a covered entity could use a separate check-box 
for the unconditioned research activity to signify whether an 
individual has opted-in to the unconditioned research activity, while 
maintaining one signature line for the authorization, or alternatively 
provide a distinct signature line for the unconditioned authorization 
to signal that the individual is authorizing optional research that 
will not affect research-related treatment. We requested comment on 
additional methods that would clearly differentiate to the individual 
the conditioned and unconditioned research activities on the compound 
authorization.
Overview of Public Comments
    Almost all commenters on this topic strongly supported the proposal 
to allow combined authorizations for conditioned and unconditioned 
research activities. Many commenters supported allowing flexibility for 
institutions to determine how best to differentiate the unconditioned 
authorization for the voluntary research activity, including whether to 
use a check box with a single signature line, or separate signature 
lines. Several commenters suggested that an opt out method should be 
permitted as an alternative to an opt in approach.
    A few commenters opposed the proposal to allow compound 
authorizations for conditioned and unconditioned research activities. 
These commenters generally felt that separate authorizations are 
appropriate and that there is not sufficient evidence to suggest that 
combining the forms will be beneficial to individuals.
    The Secretary's Advisory Committee on Human Research Protections, 
in its letter of comment on the Department's NPRM, indicated its 
support for the proposal to permit compound authorizations for 
conditioned and unconditioned research activities, and expressed 
particular appreciation for the goal of harmonization with the Common 
Rule. The Secretary's Advisory Committee on Human Research Protections 
also supported flexibility in the manner that the conditioned and 
unconditioned research activities are differentiated. The Secretary's 
Advisory Committee on Human Research Protections requested 
clarification that the compound authorizations permitted under this 
proposal would be permissible for any type of combined research 
studies, and not exclusively for clinical trials with a biospecimen 
banking component.
Final Rule
    The final rule adopts the proposal to amend Sec.  164.508(b)(3)(i) 
and (iii) to allow a covered entity to combine conditioned and 
unconditioned authorizations for research, provided that the 
authorization clearly differentiates between the conditioned and 
unconditioned research components and clearly allows the individual the 
option to opt in to the unconditioned research activities. We intend 
this provision to allow for the use of compound authorizations for any 
type of research activities, and not solely to clinical trials and 
biospecimen banking, except to the extent the research involves the use 
or disclosure of psychotherapy notes. For research that involves the 
use or disclosure of psychotherapy notes, an authorization for a use or 
disclosure of psychotherapy notes may only be combined with another 
authorization for a use or disclosure of psychotherapy notes. See Sec.  
164.508(b)(3)(ii). Thus, aside from the use of psychotherapy notes, 
combined authorizations could be obtained for the use of protected 
health information in a clinical trial and optional sub-studies, as 
well as for biospecimen banking that also permits future secondary use 
of the data (to the extent the future use authorization is aligned with 
the discussion in the following section regarding authorizations for 
future research). Also, this provision continues to allow for a covered 
entity to combine such authorizations with informed consent documents 
for the research studies.
    The final rule provides covered entities, institutions, and 
Institutional Review Boards with flexibility to determine the best 
approach for clearly differentiating the conditioned and unconditioned 
research activities and giving research participants the option to opt 
in to the unconditioned research activities. We decline to permit a 
combined authorization that only allows the individual the option to 
opt out of the unconditioned research activities (e.g., ``check here if 
you do NOT want your data provided to the biospecimen bank'') because 
an opt out option does not provide individuals with a clear ability to 
authorize the optional research activity, and may be viewed as coercive 
by individuals. The final rule does not remove the requirement that an 
individual affirmatively authorize the unconditioned research 
activities; it merely provides flexibility to streamline the 
authorization process by combining the forms.
    With respect to the commenters that believed there is insufficient 
evidence that combining conditioned and unconditioned research 
activities into a compound authorization would be beneficial, and that 
such compound authorizations may be confusing for patients, as 
indicated above, there have been anecdotal reports to the Department 
that the use of multiple authorization forms has caused confusion among 
research subjects. Further, we note that these modifications do not 
remove the required elements of an authorization that are necessary to 
inform the individual about the study (e.g., description of the 
information to be used or disclosed, description of the purpose, etc.); 
they merely introduce flexibility to avoid redundant language that 
would otherwise be necessary to include in the authorizations for the 
multiple research activities. In addition, these changes are intended 
to align the HIPAA Privacy Rule's authorization requirements with what 
has been common and ongoing practice in terms of the informed consent 
form under the Common Rule.
    We note that covered entities are permitted but not required by the 
modifications adopted at

[[Page 5611]]

Sec.  164.508(b)(3)(i) and (iii) to create compound authorizations for 
conditioned and unconditioned research activities. Previously approved, 
ongoing studies may continue to rely on the separate authorization 
forms that were obtained under the prior provisions. For new studies, 
covered entities and researchers may continue to use separate 
authorizations for conditioned and unconditioned research activities, 
or may transition to compound authorizations as they deem appropriate, 
which can be used beginning on the effective date of this rule.
Response to Other Public Comments
    Comment: The Secretary's Advisory Committee on Human Research 
Protections asked whether the following approaches for distinguishing 
between conditioned and unconditioned research activities would be 
acceptable: Using (1) a combined consent/authorization form for a 
clinical trial and optional banking component, with a check-box for the 
individual to have the choice to opt in to the optional banking 
component, and one signature; (2) a combined consent/authorization form 
for a clinical trial and optional banking component, with one signature 
for the clinical trial and another signature to indicate the individual 
agrees to the optional banking component; and (3) a combined consent/
authorization form for a clinical trial and optional banking component, 
with a check box for the individual to have the choice to opt in to the 
banking component, and one signature, but with detailed information 
about the banking component presented in a separate brochure or 
information sheet that is referenced directly in the consent/
authorization form.
    Response: Covered entities and researchers have flexibility in the 
methods used to distinguish the conditioned and unconditioned research 
activities and to provide the individual with a clear opportunity to 
opt in to the unconditioned portion, and all of the above approaches 
would be acceptable provided, with respect to the third approach, that 
the brochure or information sheet is incorporated by reference into the 
authorization/consent form such that it is considered to be part of the 
form (even if not physically attached to the form). In addition, if the 
brochure or information sheet includes required elements of the 
authorization (or informed consent), and authorization/consent has not 
been altered by an Institutional Review Board, then the brochure or 
information sheet must be made available to potential research 
participants before they are asked to sign the authorization/consent 
document (unless the authorization form itself includes the required 
elements). Finally, in such cases, a covered entity must keep not only 
the signed authorization/consent form, but also a copy of the brochure 
or information sheet, in order to be in compliance with the 
documentation requirements at Sec.  164.530(j).
    Comment: The Secretary's Advisory Committee on Human Research 
Protections requested confirmation that the compound authorization 
proposal would not affect the waiver provisions currently existing in 
the Privacy Rule, such that such provisions could be used, if 
appropriate, for new studies distinct from both the original study and 
the banking activity.
    Response: The new compound authorization provision does not affect 
the waiver of authorization provisions in the Privacy Rule. A covered 
entity may continue to use or disclose protected health information for 
research purposes based on documentation that meets the requirements at 
Sec.  164.512(i), indicating that an Institutional Review Board or 
Privacy Board has waived the obtaining of individual authorization for 
such purposes, based on a determination that (1) the use or disclosure 
of protected health information involves no more than a minimal risk to 
the privacy of individuals; (2) the research could not practicably be 
conducted without the waiver; and (3) the research could not 
practicably be conducted without access to and use of the protected 
health information.
    Comment: The Secretary's Advisory Committee on Human Research 
Protections requested clarification on the effect of revoking only one 
part of a compound authorization. For example, if an individual signs a 
combined authorization for conditioned and unconditioned research 
activities and later specifically revokes only the unconditioned 
research activity (e.g., the banking component), then the covered 
entity may continue to act in reliance on the authorization for the 
conditioned component (e.g., the clinical trial).
    Response: Where it is clear that an individual is revoking only one 
part of a compound authorization, such revocation does not equate to a 
revocation of the entire authorization to include the other studies. 
However, where it is not clear exactly to which research activities the 
individual's revocation applies, written clarification must be obtained 
from the individual in order for the revocation to apply only to 
certain of the research activities identified in the authorization, or 
the entire authorization must be treated as revoked. Further, such 
revocations must be maintained and documented in a manner that will 
ensure uses and disclosures of protected health information for the 
activity to which the revocation applies discontinue, except to the 
extent the covered entity has already acted in reliance on the 
authorization, which would permit certain limited, continued use and 
disclosure, such as necessary to maintain the integrity of the research 
study.
ii. Authorizing Future Research Use or Disclosure
Prior Interpretation
    Research often involves obtaining health information and biological 
specimens to create a research database or repository for future 
research. For example, this frequently occurs where clinical trials are 
paired with corollary research activities, such as the creation of a 
research database or repository where information and specimens 
obtained from a research participant during the trial are transferred 
and maintained for future research. It is our understanding that 
Institutional Review Boards in some cases may approve an informed 
consent document for a clinical trial that also asks research 
participants to permit future research on their identifiable 
information or specimens obtained during the course of the trial. It is 
also our understanding that an Institutional Review Board may in some 
cases review an informed consent for a prior clinical trial to 
determine whether a subsequent research use is encompassed within the 
original consent.
    The Department has previously interpreted the Privacy Rule, 
however, to require that authorizations for research be study specific 
for purposes of complying with the Rule's requirement at Sec.  
164.508(c)(1)(iv) that an authorization must include a description of 
each purpose of the requested use or disclosure. See 67 FR 53182, 
53226, Aug. 14, 2002. In part, the Department's interpretation was 
based on a concern that patients could lack necessary information in 
the authorization to make an informed decision about the future 
research. In addition, it was recognized that not all uses and 
disclosures of protected health information for a future research 
purpose would require a covered entity to re-contact the individual to 
obtain another authorization (e.g., uses or disclosures with a waiver 
of

[[Page 5612]]

authorization from an Institutional Review Board or Privacy Board as 
provided under Sec.  164.512(i) or of a limited data set pursuant to a 
data use agreement under Sec.  164.514(e) for the future research 
purpose).
    Subsequent to issuing this interpretation, the Department heard 
concerns from covered entities and researchers that the Department's 
interpretation encumbers secondary research, and limits an individual's 
ability to agree to the use or disclosure of their protected health 
information for future research. In addition, many commenters noted 
that the Department's interpretation limiting the scope of a HIPAA 
authorization for research appeared to diverge from the current 
practice under the Common Rule with respect to the ability of a 
researcher to seek subjects' informed consent to future research so 
long as the future research uses are described in sufficient detail to 
allow an informed consent. These commenters, as well as the Secretary's 
Advisory Committee on Human Research Protections in 2004 
(Recommendation IV, in a letter to the Secretary of HHS, available at 
https://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html) and the 
Institute of Medicine in its 2009 Report entitled ``Beyond the HIPAA 
Privacy Rule: Enhancing Privacy, Improving Health Through Research'' 
(Recommendation II.B.1), had urged the Department to allow the HIPAA 
authorization to permit future research use and disclosure of protected 
health information.
    Given these concerns, the Department explained in the NPRM that it 
was considering a number of options regarding authorizations for future 
research, including whether the Privacy Rule should: permit an 
authorization for uses and disclosures of protected health information 
for future research purposes to the extent such purposes are adequately 
described in the authorization such that it would be reasonable for the 
individual to expect that his or her protected health information could 
be used or disclosed for such future research; or permit an 
authorization for future research but require certain specific elements 
or statements with respect to the future research, particularly where 
the future research may encompass certain types of sensitive research 
activities, such as research involving genetic analyses or mental 
health research, that may alter an individual's willingness to 
participate in the research. We requested comment on these options and 
on how a revocation would operate with respect to future downstream 
research studies.
Overview of Public Comments
    Almost all commenters on this topic supported the proposal to allow 
authorizations for future research. Many commenters indicated this 
flexibility to be important, particularly considering evolving 
technologies and discoveries.
    About half of these commenters specifically advocated for providing 
investigators and Institutional Review Boards with the maximum 
flexibility to determine the appropriateness of the descriptions for 
future research and felt that this would best align with the Common 
Rule. These commenters were thus against requiring specific statements 
in the Privacy Rule about the future research, including for sensitive 
research. Other commenters were in favor of requiring the additional 
statements about sensitive categories of research, stating that this 
would better inform individuals and give them greater choice in 
determining their willingness to participate in certain types of future 
research. A couple of these commenters recommended working with 
National Committee on Vital and Health Statistics on the categories of 
sensitive research, however no further examples of specific types of 
research were given beyond the examples provided in the proposed rule 
(genetic analyses or mental health research). Several commenters 
specifically advised against requiring specific statements for 
sensitive research, citing concerns of variability in what is 
considered sensitive information and practicality challenges due to the 
changing nature of the concept over time.
    A few commenters opposed the proposal to allow authorizations for 
future research altogether. Some of these commenters felt strongly that 
study-specific authorizations are critical to protect patients, and are 
the only way that individuals can make a truly informed decision. These 
commenters suggested that outreach to patients and potential research 
participants to solicit feedback, as well as a study on the potential 
burdens that enhanced authorizations may have on stakeholders, were 
necessary before any changes were made.
    In its comment letter on the NPRM, the Secretary's Advisory 
Committee on Human Research Protections supported the proposal to 
harmonize HIPAA authorizations with the Common Rule informed consent 
requirements, and also requested consultation with the FDA to ensure 
that authorizations for future research align not only with the Common 
Rule standards but also FDA standards for informed consent. They 
indicated that the authorization should be reasonably specific such 
that individuals are aware of the types of research that may be 
conducted. However, the Secretary's Advisory Committee on Human 
Research Protections emphasized the need for flexibility to rely on 
Institutional Review Board judgment and recommended against requiring 
prescribed statements about certain types of ``sensitive'' research, 
since these concepts change over time and requiring prescribed 
authorization statements may conflict with Institutional Review Boards' 
judgments about how to appropriately describe the research in the 
informed consent.
Modified Interpretation
    We modify the prior Departmental interpretation that research 
authorizations must be study specific. This modification does not make 
any changes to the authorization requirements at Sec.  164.508. A HIPAA 
authorization for future research must still address each of the core 
elements and statements required at Sec.  164.508(c). However, the 
Department no longer interprets the ``purpose'' provision at Sec.  
164.508(c)(1)(iv) as requiring that an authorization for the use or 
disclosure of protected health information for research purposes be 
study specific. In order to satisfy the requirement that an 
authorization include a description of each purpose of the requested 
use or disclosure, an authorization for uses and disclosures of 
protected health information for future research purposes must 
adequately describe such purposes such that it would be reasonable for 
the individual to expect that his or her protected health information 
could be used or disclosed for such future research. This could include 
specific statements with respect to sensitive research to the extent 
such research is contemplated. However, we do not prescribe specific 
statements in the Rule. We agree that it is difficult to define what is 
sensitive and that this concept changes over time. We also agree with 
commenters that this approach best harmonizes with practice under the 
Common Rule regarding informed consent for future research, and allows 
covered entities, researchers and Institutional Review Boards to have 
flexibility in determining what adequately describes a future research 
purpose depending on the circumstances. We have consulted with Office 
for Human Research Protections (OHRP) and the FDA on this approach to 
ensure consistency and

[[Page 5613]]

harmonization with the HHS and FDA human subjects protections 
regulations, where appropriate.
    With respect to commenters that stated it is impossible for 
individuals to be truly informed about future research, we note that we 
are aligning with existing practice under the Common Rule in regard to 
informed consent and still require that all required elements of 
authorization be included in an authorization for future research, even 
if they are to be described in a more general manner than is done for 
specific studies.
    Pursuant to this modified interpretation, covered entities that 
wish to obtain individual authorization for the use or disclosure of 
protected health information for future research may do so at any time 
after the effective date of this final rule. Alternatively, covered 
entities may continue to use only study-specific authorizations for 
research if they choose.
Response to Other Public Comments
    Comment: The Secretary's Advisory Committee on Human Research 
Protections requested flexibility regarding the description in the 
authorization of the information to be used or disclosed for future 
research as well as to whom the covered entity may make the requested 
use or disclosure as there may be some uncertainty of the identity of 
future researchers. The Secretary's Advisory Committee on Human 
Research Protections also suggested that the description of information 
to be collected be allowed to reference information beyond the time of 
the original study, for example ``your future medical records [at 
Hospital]'' or ``your future medical records [relating to diseases/
conditions].''
    Response: Covered entities and researchers have flexibility to 
describe the information to be used or disclosed for the future 
research, so long as it is reasonable from such description to believe 
that the individual would expect the information to be used or 
disclosed for the future research. We also clarify that a description 
of the protected health information to be used for the future research 
may include information collected beyond the time of the original 
study. Further, the Privacy Rule authorization requirements allow a 
``class of persons'' to be described for purposes of identifying in the 
authorization the recipients of the protected health information. Thus, 
covered entities and researchers have flexibility in the manner in 
which they describe the recipients of the protected health information 
for the future research, so long as it is reasonable from such 
description to believe that the individual would expect his or her 
protected health information to be shared with such persons for the 
future research.
    Comment: The Secretary's Advisory Committee on Human Research 
Protections requested that the Department allow for grandfathering of 
existing, ongoing studies that involve the possibility of future/
secondary research, if an Institutional Review Board-approved consent 
reasonably informed the individuals of the future research. In these 
situations, researchers would have needed to obtain a study-specific 
authorization or waiver of authorization before commencing the future/
secondary research that was encompassed in the original informed 
consent.
    Response: Covered entities and researchers may rely on an 
Institutional Review Board-approved consent obtained prior to the 
effective date of this final rule that reasonably informed individuals 
of the future research, provided the informed consent was combined with 
a HIPAA authorization (even though the authorization itself was 
specific to the original study or creation and maintenance of a 
repository).
    Comment: One commenter advocated for the use of time-limited 
authorizations for future research.
    Response: This modification in Departmental interpretation does not 
change the requirement at Sec.  164.508(c)(1)(v), which states that an 
authorization must contain an expiration date or an expiration event 
that relates to the individual or the purpose of the use or disclosure. 
This statement may be a specific time limit, or be ``end of the 
research study,'' ``none,'' or similar language for a research study.
    Comment: Several commenters suggested that revocation of 
authorizations should continue to be permitted in the same manner that 
it is currently allowed under the Privacy Rule. The Secretary's 
Advisory Committee on Human Research Protections recommended that 
revocations of authorization for future research be permitted orally, 
rather than in writing, as is currently required for all authorizations 
under Sec. Sec.  164.508(b)(5) and (c)(2)(i) of the Rule.
    Response: Covered entities may continue to rely on existing 
guidance regarding how revocations of authorizations operate in the 
research context. Such guidance is published in several materials 
available at https://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/ (see, e.g., the fact sheet entitled, 
``Health Services Research and the HIPAA Privacy Rule''). The 
Department may issue additional guidance in the future with respect to 
revocation policies in the context of authorizations that specify, and 
under which protected health information has been disclosed for, future 
research uses.
    In response to the Secretary's Advisory Committee on Human Research 
Protections recommendation, we also clarify that while the Privacy Rule 
requires that a revocation of authorization from an individual be in 
writing, uses and disclosures pursuant to an authorization are 
permissive and not required, and thus, a covered entity may cease using 
or disclosing protected health information pursuant to an authorization 
based on an individual's oral request if it chooses to do so.
5. Protected Health Information About Decedents
a. Section 164.502(f)--Period of Protection for Decedent Information
Proposed Rule
    Section 164.502(f) requires covered entities to protect the privacy 
of a decedent's protected health information generally in the same 
manner and to the same extent that is required for the protected health 
information of living individuals. Thus, if an authorization is 
required for a particular use or disclosure of protected health 
information, a covered entity may use or disclose a decedent's 
protected health information in that situation only if the covered 
entity obtains an authorization from the decedent's personal 
representative. The personal representative for a decedent is the 
executor, administrator, or other person who has authority under 
applicable law to act on behalf of the decedent or the decedent's 
estate. The Department heard a number of concerns since the publication 
of the Privacy Rule that it can be difficult to locate a personal 
representative to authorize the use or disclosure of the decedent's 
protected health information, particularly after an estate is closed. 
Furthermore, archivists, biographers, and historians had expressed 
frustration regarding the lack of access to ancient or old records of 
historical value held by covered entities, even when there are likely 
few surviving individuals concerned with the privacy of such 
information. Archives and libraries may hold medical records, as well 
as correspondence files, physician diaries and casebooks, and 
photograph collections containing fragments of

[[Page 5614]]

identifiable health information, that are centuries old. Currently, to 
the extent such information is maintained by a covered entity, it is 
subject to the Privacy Rule.
    Accordingly, we proposed to amend Sec.  164.502(f) to require a 
covered entity to comply with the requirements of the Privacy Rule with 
regard to the protected health information of a deceased individual for 
a period of 50 years following the date of death. We also proposed to 
modify the definition of ``protected health information'' at Sec.  
160.103 to make clear that the individually identifiable health 
information of a person who has been deceased for more than 50 years is 
not protected health information under the Privacy Rule. We proposed 50 
years to balance the privacy interests of living relatives or other 
affected individuals with a relationship to the decedent, with the 
difficulty of obtaining authorizations from personal representatives as 
time passes. A 50-year period of protection had also been suggested at 
a National Committee for Vital and Health Statistics (the public 
advisory committee which advises the Secretary on the implementation of 
the Administrative Simplification provisions of HIPAA, among other 
issues) meeting, at which committee members heard testimony from 
archivists regarding the problems associated with applying the Privacy 
Rule to very old records. See https://ncvhs.hhs.gov/050111mn.htm. We 
requested public comment on the appropriateness of this time period.
Overview of Public Comments
    The majority of public comment on this proposal was in favor of 
limiting the period of protection for decedent health information to 50 
years past the date of death. Some of these commenters specifically 
cited the potential benefits to research. A few commenters stated that 
the 50-year period was too long and should be shortened to, for 
example, 25 years. Some supporters of limiting privacy protection for 
decedent information indicated that the date of death is often 
difficult to determine, and thus suggested an alternative time period 
(e.g., 75, 100, 120, 125 years) starting from the last date in the 
medical record, if the date of death is unknown.
    Some commenters were opposed to limiting the period of protection 
for decedent health information due to the continued privacy interests 
of living relatives as well as the decedent, particularly when highly 
sensitive information is involved, including HIV/AIDS status, or 
psychiatric or substance abuse treatment. A couple of commenters 
recommended that there should be no time limit on the protection of 
psychotherapy notes. One commenter expressed concern that this 
modification may encourage covered entities to retain records that they 
would not have otherwise in order to profit from the data after the 50-
year period. One commenter suggested that the period of protection 
should be extended to 100 years, if protections are to be limited at 
all. A few commenters were opposed to the 50-year period of protection 
because they interpreted this provision to be a proposed record 
retention requirement.
Final Rule
    After considering the public comments, the final rule adopts the 
proposal. We believe 50 years is an appropriate period of protection 
for decedent health information, taking into account the remaining 
privacy interests of living individuals after the span of approximately 
two generations have passed, and the difficulty of obtaining 
authorizations from a personal representative of a decedent as the same 
amount of time passes. For the same reason, we decline to shorten the 
period of protection as suggested by some commenters or to adopt a 100-
year period of protection for decedent information. We also believe the 
50-year period of protection to be long enough so as not to provide an 
incentive for covered entities to change their record retention 
policies in order to profit from the data about a decedent once 50 
years has elapsed.
    With respect to commenters' concerns regarding protected health 
information about decedents that is sensitive, such as HIV/AIDS, 
substance abuse, or mental health information, or that involves 
psychotherapy notes, we emphasize that the 50-year period of protection 
for decedent health information under the Privacy Rule does not 
override or interfere with State or other laws that provide greater 
protection for such information, or the professional responsibilities 
of mental health or other providers. Covered entities may continue to 
provide privacy protections to decedent information beyond the 50-year 
period, and may be required to do so under other applicable laws or as 
part of their professional responsibility. Alternatively, covered 
entities may choose to destroy decedent information although other 
applicable law may prescribe or limit such destruction.
    We also decline to limit protections under the Privacy Rule to a 
certain period beyond the last date in the medical record. While we 
appreciate the challenges that may be present in determining the date 
of death of an individual in cases in which it is not sufficiently 
clear from the age of the record whether the individual is deceased, we 
believe that this determination is necessary in closer cases to protect 
the individual, as well as living relatives and others, who may be 
affected by disclosure of the information. Further, as we stated in the 
NPRM, this modification has no impact on a covered entity's disclosures 
permitted under other provisions of the Privacy Rule. For example, a 
covered entity is permitted to disclose protected health information of 
decedents for research that is solely on the information of decedents 
in accordance with Sec.  164.512(i)(1)(iii), without regard to how long 
the individual has been deceased.
    Finally, we clarify that the 50-year period of protection is not a 
record retention requirement. The HIPAA Privacy Rule does not include 
medical record retention requirements and covered entities may destroy 
such records at the time permitted by State or other applicable law. 
(We note that covered entities are subject to the accounting 
requirements at Sec.  164.528 and, thus, would need to retain or record 
certain information regarding their disclosures of protected health 
information.) However, if a covered entity does maintain decedent 
health information for longer than 50 years following the date of death 
of the individual, this information will no longer be subject to the 
Privacy Rule.
b. Section 164.510(b)--Disclosures About a Decedent to Family Members 
and Others Involved in Care
Proposed Rule
    Section 164.510(b) describes how a covered entity may use or 
disclose protected health information to persons, such as family 
members or others, who are involved in an individual's care or payment 
related to the individual's health care. The Department had received a 
number of questions about the scope of the section, specifically with 
regard to disclosing protected health information when the individual 
who is the subject of the information was deceased. We had additionally 
heard concerns that family members, relatives, and others, many of whom 
may have had access to the health information of the deceased 
individual prior to death, have had difficulty obtaining access to such 
information after the death of the individual, because many do not 
qualify as a

[[Page 5615]]

``personal representative'' of the decedent under the Privacy Rule at 
Sec.  164.502(g)(4).
    As such, we proposed to amend Sec.  164.510(b) to add a new 
paragraph (5), which would permit covered entities to disclose a 
decedent's information to family members and others who were involved 
in the care or payment for care of the decedent prior to death, unless 
doing so is inconsistent with any prior expressed preference of the 
individual that is known to the covered entity. We emphasized that 
these modifications would not change the authority of a decedent's 
personal representative with regard to the decedent's protected health 
information. Thus, a personal representative would continue to have a 
right to access the decedent's protected health information relevant to 
such personal representation, and have authority to authorize uses and 
disclosures of the decedent's protected health information that are not 
otherwise permitted or required by the Privacy Rule. We requested 
comment on any unintended consequences that this proposed disclosure 
provision might cause.
Overview of Public Comments
    Most commenters supported the proposal to permit disclosures to 
family members and others involved in the care or payment for care of 
the decedent prior to death, unless doing so is inconsistent with any 
prior expressed preference of the individual that is known to the 
covered entity. These commenters felt that such permissive disclosures 
would help facilitate important and appropriate communications with 
family members and others who had been involved in the individual's 
care or payment for health care prior to the individual's death but who 
may not rise to the level of personal representative. Some commenters 
stated that the provision recognizes the legitimate interest that 
family members may have in a decedent's health information as it 
affects their own health care.
    A few commenters opposed the proposal to expressly permit 
communications with family members and other persons who had been 
involved with the individual's care or payment for care prior to death. 
Two commenters felt it would be a large burden on covered entities to 
determine the legitimacy of a requestor as a family member or 
individual involved in the care or payment for care. One commenter 
questioned the need for family members to have access to decedent 
health information and the likelihood of anyone other than the personal 
representative to have been meaningfully involved in the care or 
payment for care of the decedent.
Final Rule
    The final rule adopts the proposal to amend Sec.  164.510(b) to 
permit covered entities to disclose a decedent's protected health 
information to family members and others who were involved in the care 
or payment for care of the decedent prior to death, unless doing so is 
inconsistent with any prior expressed preference of the individual that 
is known to the covered entity.
    In response to commenters who opposed this provision, we believe 
the provision strikes the appropriate balance in allowing 
communications with family members and other persons who were involved 
in the individual's care or payment for care prior to death, unless 
doing so is inconsistent with the prior expressed wishes of the 
individual. This will ensure family members and others can find out 
about the circumstances surrounding the death of their loved ones, 
unless the individual prior to his or her death objected to the covered 
entity making such communications. Further, the Privacy Rule limits 
such disclosures, similar to the other disclosures permitted under 
Sec.  164.510(b), to the protected health information relevant to the 
family member or other person's involvement in the individual's health 
care or payment for health care. For example, a covered health care 
provider could describe the circumstances that led to an individual's 
passing with the decedent's sister who is asking about her sibling's 
death. In addition, a covered health care provider could disclose 
billing information to a family member of a decedent who is assisting 
with wrapping up the decedent's estate. However, in both of these 
cases, the provider generally should not share information about past, 
unrelated medical problems. Finally, these disclosures are permitted 
and not required, and thus, a covered entity that questions the 
relationship of the person to the decedent or otherwise believes, based 
on the circumstances, that disclosure of the decedent's protected 
health information would not be appropriate, is not required to make 
the disclosure.
Response to Other Public Comments
    Comment: Commenters requested guidance on what it means for a 
person to have been ``involved in the care'' of the decedent prior to 
death. One commenter suggested including language in the final rule 
that would put the burden of proof of ``involvement in the individual's 
care'' on the requestor and not the covered entity, and would hold the 
covered entity harmless when disclosing decedent information in good 
faith in accordance with this new permission.
    Response: We interpret this phrase in the same manner as we have 
with respect to disclosures of protected health information of living 
individuals under Sec.  164.510(b). See the Department's existing 
guidance at https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf. Subject to the specified conditions, 
disclosures may be made under this provision to family members, as well 
as to other persons provided the covered entity has reasonable 
assurance the individual prior to death was involved in the 
individual's care or payment for care. Depending on the circumstances, 
this could include disclosures to spouses, parents, children, domestic 
partners, other relatives, or friends of a decedent. As with similar 
disclosures concerning living individuals under Sec.  164.510(b)(1)(i), 
this provision does not generally apply to disclosures to health care 
providers, health plans, public health authorities, law enforcement 
officials, and others whose access to protected health information is 
governed by other provisions of the Privacy Rule.
    We decline to include language in the final rule placing the burden 
of proof on the requestor to demonstrate they were involved in the 
individual's care. In some cases, it will be readily apparent to the 
covered entity that a person is a family member or was involved in the 
individual's care prior to death because the person would have made 
themselves known to the covered entity prior to the individual's death 
by either visiting with or inquiring about the individual, or the 
individual would have identified such person as being involved in their 
care or payment for care to a member of the covered entity's workforce. 
In other cases, the covered entity need just have reasonable assurance 
that the person is a family member of the decedent or other person who 
was involved in the individual's care or payment for care prior to 
death. For example, the person may indicate to the covered entity how 
he or she is related to the decedent or offer sufficient details about 
the decedent's circumstances prior to death to indicate involvement in 
the decedent's care prior to death. As stated above, a covered entity 
that is uncomfortable disclosing protected health information under 
this provision because of questions about the person's

[[Page 5616]]

relationship to the decedent is not required to do so.
    Comment: Several commenters requested and offered suggested 
clarifications on the scope of the terms ``personal representative'' 
and ``family member.''
    Response: The Privacy Rule already identifies the persons who 
qualify as a personal representative of a decedent at Sec.  
164.502(g)(4). Further, this final rule includes a definition of 
``family member'' at Sec.  160.103.
    Comment: A few commenters suggested extending this provision to 
allow disclosures to the decedent's health care ``proxy,'' ``medical 
power of attorney,'' ``power of attorney,'' and ``estate executor.''
    Response: We decline to expand the provision as suggested. Under 
the Privacy Rule, a person with authority under applicable law to act 
on behalf of the decedent or the decedent's estate is the personal 
representative of the decedent. Thus, certain of these persons, such as 
the executor of the estate, already have a right of access to the 
decedent's protected health information. In cases where a person does 
not rise to the level of a personal representative, the final rule at 
Sec.  164.510(b) permits, subject to any prior expressed preference of 
the individual, a covered entity to disclose relevant protected health 
information of the decedent to family members of the decedent or 
persons who otherwise were involved in the individual's care or payment 
for care prior to the individual's death, which may include persons who 
held a health care proxy for the individual or a medical power of 
attorney.
6. Section 164.512(b)--Disclosure of Student Immunizations to Schools
Proposed Rule
    The Privacy Rule, at Sec.  164.512(b), recognizes that covered 
entities must balance protecting the privacy of health information with 
sharing health information with those responsible for ensuring public 
health and safety, and permits covered entities to disclose the minimum 
necessary protected health information to public health authorities or 
other designated persons or entities without an authorization for 
public health purposes specified by the Rule.
    Schools play an important role in preventing the spread of 
communicable diseases among students by ensuring that students entering 
classes have been immunized. Most States have ``school entry laws'' 
which prohibit a child from attending school unless the school has 
proof that the child has been appropriately immunized. Some States 
allow a child to enter school provisionally for a certain period of 
time while the school waits for the necessary immunization information. 
Typically, schools ensure compliance with those requirements by 
requesting the immunization records from parents (rather than directly 
from a health care provider). However, where a covered health care 
provider is requested to send the immunization records directly to a 
school, the Privacy Rule generally requires written authorization by 
the child's parent before a covered health care provider may do so.
    Since the Privacy Rule went into effect, we had heard concerns that 
the requirement for covered entities to obtain authorization before 
disclosing student immunization information may make it more difficult 
for parents to provide, and for schools to obtain, the necessary 
immunization documentation for students, which may prevent students' 
admittance to school. The National Committee on Vital and Health 
Statistics submitted these concerns to the HHS Secretary and 
recommended that HHS regard disclosure of immunization records to 
schools to be a public health disclosure, thus eliminating the 
requirement for authorization. See https://www.ncvhs.hhs.gov/04061712.html. As such, we proposed to amend Sec.  164.512(b)(1) by 
adding a new paragraph that permits covered entities to disclose proof 
of immunization to schools in States that have school entry or similar 
laws.\10\ While written authorization that complies with Sec.  164.508 
would no longer have been required for disclosure of such information 
under the proposal, the covered entity would still have been required 
to obtain agreement, which may have been oral, from a parent, guardian 
or other person acting in loco parentis for the individual, or from the 
individual him- or herself, if the individual is an adult or 
emancipated minor. Because the proposed provision would have permitted 
a provider to accept a parent's oral agreement to disclose immunization 
results to a school--as opposed to a written agreement--the NPRM 
acknowledged a potential for a miscommunication and later objection by 
the parent. We, therefore, requested comment on whether the Privacy 
Rule should require that a provider document any oral agreement under 
this provision to help avoid such problems, or whether a requirement 
for written documentation would be overly cumbersome, on balance. We 
also requested comment on whether the rule should mandate that the 
disclosures go to a particular school official and if so, who that 
should be.
---------------------------------------------------------------------------

    \10\ We note that once a student's immunization records are 
obtained and maintained by an educational institution or agency to 
which the Family Educational Rights and Privacy Act (FERPA) applies, 
the records are protected by FERPA, rather than the HIPAA Privacy 
Rule. See paragraphs (2)(i) and (2)(ii) of the definition of 
``protected health information'' at Sec.  160.103, which exclude 
from coverage under the Privacy Rule student records protected by 
FERPA. In addition, for more information on the intersection of 
FERPA and HIPAA, readers are encouraged to consult the Joint HHS/ED 
Guidance on the Application of FERPA and HIPAA to Student Health 
Records, available at https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf.
---------------------------------------------------------------------------

    In addition, the Privacy Rule does not define the term ``school'' 
and the types of schools subject to the school entry laws may vary by 
State. For example, depending on the State, such laws may apply to 
public and private elementary or primary schools and secondary schools 
(kindergarten through 12th grade), as well as daycare and preschool 
facilities, and post-secondary institutions. Thus, we requested comment 
on the scope of the term ``school'' for the purposes of this section 
and whether we should include a specific definition of ``school'' 
within the regulation itself. In addition, we requested comment on the 
extent to which schools that may not be subject to these school entry 
laws but that may also require proof of immunization have experienced 
problems that would warrant their being included in this category of 
public health disclosures.
Overview of Public Comments
    Most commenters were generally in favor of permitting covered 
entities to disclose student immunization records based on obtaining 
agreement, which may be oral, from a parent, guardian or other person 
acting in loco parentis for the individual, or from the individual 
himself or herself, if the individual is an adult or emancipated minor, 
rather than written authorization. Commenters supported the intent to 
facilitate the transmission of immunization records to ease the burden 
on parents, schools and covered entities, and to minimize the amount of 
school missed by students.
    Some commenters opposed the proposal to require oral or written 
agreement, claiming that a new form of ``agreement'' would introduce 
unnecessary complexity and confusion, and would not help to reduce 
burden. These commenters asserted that covered entities would document 
the verbal agreements for their own liability purposes, even if not 
required by the Privacy Rule. In this manner, the documentation burden 
would still be

[[Page 5617]]

present. Some commenters recommended that instead of an oral agreement 
or authorization requirement, disclosure of immunization records to 
schools should be considered an exempt public health disclosure. A 
small minority of commenters felt that the current authorization system 
should be maintained as it is the best way to ensure patient safety and 
privacy while avoiding miscommunications and misunderstandings.
    Commenters were divided on the issue of requiring written 
documentation of the agreement. Some commenters were in favor of 
documenting oral agreements, citing that the documentation would be 
less cumbersome than obtaining written authorizations while also 
helping to avoid miscommunications. On the other hand, some commenters 
felt that requiring written documentation would be burdensome and would 
eliminate the benefits introduced by permitting oral agreements. Some 
commenters also requested flexibility for covered entities to determine 
whether or not written documentation is appropriate and necessary for 
their purposes.
    The majority of commenters requested that a designated recipient of 
the student immunization records not be defined, and that schools be 
allowed flexibility to identify the appropriate individual(s) that can 
act as the school official permitted to receive the records. Commenters 
indicated that while the disclosures would ideally be made to a nurse 
or licensed health professional at the school, such a health 
professional may not always be present. In such instances, it should be 
permissible that the immunization records be disclosed to another 
official designated by the school as a suitable representative. One 
commenter recommended that the school nurse be designated as the 
recipient and custodian of the records.
    Most commenters recommended that the definition of ``school'' be 
interpreted broadly in order to best support public health efforts. 
Commenters provided suggestions on the types of schools that should be 
included, for example, K-12 schools, public and private schools, and 
post-secondary schools. Many commenters also suggested that daycare, 
preschool and nursery school facilities be encompassed in the 
definition of school. One commenter expressly recommended that child 
care facilities or day care programs not be included in the definition 
of school, despite acknowledging the need to protect the health of 
these children, due to the fact that many States have different laws 
for these settings and are separate from school systems. Two commenters 
suggested defining schools as being open to children up to age 18, 
since students become adults at age 18 and can authorize the disclosure 
of their own information. A few commenters suggested that the 
definition include all schools that require immunization documentation 
as a prerequisite to enrollment, not just those that are subject to 
State entry laws, in order to protect public health in all school 
settings, since the threat of un-immunized children exists regardless 
of State school entry laws. Additionally, some commenters recommended 
that the term ``school'' not be defined in the Privacy Rule due to the 
variation across States in the types of schools that are subject to the 
entry laws.
Final Rule
    The final rule adopts the proposal to amend Sec.  164.512(b)(1) by 
adding a new paragraph that permits a covered entity to disclose proof 
of immunization to a school where State or other law requires the 
school to have such information prior to admitting the student. While 
written authorization will no longer be required to permit this 
disclosure, covered entities will still be required to obtain 
agreement, which may be oral, from a parent, guardian or other person 
acting in loco parentis for the individual, or from the individual 
himself or herself, if the individual is an adult or emancipated minor. 
We believe that the option to provide oral agreement for the disclosure 
of student immunization records will relieve burden on parents, 
schools, and covered entities, and greatly facilitate the role that 
schools play in public health, while still giving parents the 
opportunity to consider whether to agree to the disclosure of this 
information.
    The final rule additionally requires that covered entities document 
the agreement obtained under this provision. The final rule does not 
prescribe the nature of the documentation and does not require 
signature by the parent, allowing covered entities the flexibility to 
determine what is appropriate for their purposes. The documentation 
must only make clear that agreement was obtained as permitted under 
this provision. For example, if a parent or guardian submits a written 
or email request to a covered entity to disclose his or her child's 
immunization records to the child's school, a copy of the request would 
suffice as documentation of the agreement. Likewise, if a parent or 
guardian calls the covered entity and requests over the phone that his 
or her child's immunization records be disclosed to the child's school, 
a notation in the child's medical record or elsewhere of the phone call 
would suffice as documentation of the agreement. We emphasize that the 
agreement is not equivalent to a HIPAA-compliant authorization, and 
covered entities are not required to document a signature as part of 
this requirement. We disagree with comments that documentation would be 
as burdensome on covered entities as written authorization, since an 
authorization form contains many required statements and elements, 
including a signature by the appropriate individual, which are not 
required for the agreement and documentation contemplated here. 
Furthermore, we believe that documentation of oral agreements will help 
to prevent miscommunications and potential future objections by parents 
or individuals, and the concerns that covered entities may have 
regarding liability, penalty or other enforcement actions for 
disclosures made pursuant to an oral agreement.
    Several commenters recommended that in lieu of an oral agreement, 
disclosure of immunization records to schools are presumed to be 
permitted, while giving individuals the option to opt out of this 
presumption or request a restriction to the disclosure. One commenter 
advocated for this public health exemption for disclosure of 
immunization records as being particularly critical for children who 
may be, for example, homeless, living with someone other than a parent 
or legal guardian, or living with a parent that does not speak English. 
We remove the written authorization requirement to help facilitate 
these disclosures with as much flexibility as possible. However, we do 
not intend this provision to change the current practice of parents, 
guardians, or other persons acting in loco parentis contacting a 
child's health care provider to request proof of immunization be sent 
to the child's school. Therefore, we still require active agreement 
from the appropriate individual, and a health care provider may not 
disclose immunization records to a school under this provision without 
such agreement. The agreement must be an affirmative assent or request 
by a parent, guardian, or other person acting in loco parentis (or by 
an adult individual or emancipated minor, if applicable) to the covered 
entity, which may be oral and over the phone, to allow the disclosure 
of the immunization records. A mere request by a school to a health 
care provider for the immunization records of a student would not be 
sufficient to permit disclosure under this provision (and

[[Page 5618]]

such a request by a school might also raise implications under other 
laws, such as FERPA).
    We decline to include definitions of ``school official'' and 
``school'' in the final rule. The motivation for this new permissive 
disclosure is to promote public health by reducing the burden 
associated with providing schools with student immunization records and 
we do not wish to create additional difficulties or confusion in doing 
so. We therefore agree with commenters that schools are best equipped 
to determine the appropriate individual to receive student immunization 
records at their location and will benefit from having this 
flexibility. We also agree with commenters that ``school'' should 
remain undefined in the Privacy Rule due to the variation across States 
in the types of schools that are subject to the entry laws. We believe 
that this will best align with State law and cause the least amount of 
confusion. We did not receive sufficient comment regarding the breadth 
of schools that are not subject to school entry laws or the burden that 
these institutions face to justify expanding this provision to allow 
disclosure of proof of immunization to such schools without an 
authorization.
Response to Other Public Comments
    Comment: Several commenters raised concerns about the dynamic 
between the Privacy Rule requirements and State law requirements 
regarding immunization disclosures. Commenters indicated that some 
State laws require providers to directly share immunization records 
with schools and provide parents with the opportunity to opt out of 
this direct sharing. Commenters also indicated the use of State 
immunization registries in many States, to which schools are permitted 
direct access. One commenter suggested that the Privacy Rule permit 
State law to determine what is the minimum necessary for proof of 
immunization.
    Response: We take this opportunity to clarify that the Privacy Rule 
at Sec.  164.512(a) permits a covered entity to use or disclose 
protected health information to the extent that such use or disclosure 
is required by law and the use or disclosure complies with and is 
limited to the relevant requirements of such law. As such, the Privacy 
Rule does not prohibit immunization disclosures that are mandated by 
State law, nor does it require authorization for such disclosures. With 
regard to State laws that require covered entities to disclose 
immunization records to schools and allow parents to opt out, this is 
not in any way prohibited by the Privacy Rule. However, with regard to 
State laws that permit but do not require covered entities to disclose 
immunization records to schools, this does not meet the requirements of 
the provisions at Sec.  164.512(a), and disclosures of immunization 
records are subject to the Privacy Rule agreement and documentation 
requirements described in this part. We also note that the Privacy Rule 
at Sec.  164.512(b) permits a covered entity to disclose protected 
health information for public health activities. Disclosures of 
protected health information to State immunization registries are 
therefore permitted by the Privacy Rule and also do not require 
authorization. The Privacy Rule at Sec.  164.514(d)(3)(iii)(A) provides 
that a covered entity, when making a permitted disclosure pursuant to 
Sec.  164.512 to a public official, may determine, if such a 
determination is reasonable under the circumstances, that information 
requested by a public official is the minimum necessary information for 
the stated purpose, if the public official represents that the 
information requested is the minimum necessary for the stated 
purpose(s). Under this provision, a covered entity may rely on State 
law or a State official's determination of the minimum necessary 
information required for proof of immunization, unless such 
determination is unreasonable.
    Comment: Commenters requested guidance on when and how often to 
obtain agreement for immunization disclosures.
    Response: We anticipate that covered entities will obtain agreement 
for the disclosure of immunization records on a case-by-case basis as 
needed. For example, a parent may call and request that a covered 
entity provide his or her child's immunization records before the child 
begins elementary school, if required by State school entry laws. If 
that child moves to a different school and is unable to transfer their 
immunization records to the new school, the parent may need to request 
that the covered entity provide his or her child's immunization records 
to the new school, if required by State school entry laws. A parent 
might also generally indicate to a covered entity that he or she 
affirmatively agrees to the immediate or future disclosure of his or 
her child's immunization records to the child's school as necessary, or 
the continued disclosure of such information if, for example, updates 
are required by the school when a series of vaccinations have been 
completed.
    Comment: Commenters requested clarification on the length of time 
an agreement may be relied upon.
    Response: An agreement to permit the disclosure of immunization 
records is considered effective until revoked by the parent, guardian 
or other person acting in loco parentis for the individual, or by the 
individual himself or herself, if the individual is an adult or 
emancipated minor.
    Comment: Commenters requested clarification regarding any 
requirement for schools to maintain the immunization records.
    Response: The Privacy Rule does not require schools to keep student 
immunization records; however individual State or other laws may 
require this.
7. Section 164.514(f)--Fundraising
Proposed Rule
    Section 164.514(f)(1) of the Privacy Rule permits a covered entity 
to use, or disclose to a business associate or an institutionally 
related foundation, the following protected health information about an 
individual for the covered entity's fundraising from that individual 
without the individual's authorization: (1) Demographic information 
relating to an individual; and (2) the dates of health care provided to 
an individual. Section 164.514(f)(2) of the Privacy Rule requires a 
covered entity that plans to use or disclose protected health 
information for fundraising under this paragraph to inform individuals 
in its notice of privacy practices that it may contact them to raise 
funds for the covered entity. In addition, Sec.  164.514(f)(2) requires 
that a covered entity include in any fundraising materials it sends to 
an individual a description of how the individual may opt out of 
receiving future fundraising communications and that a covered entity 
must make reasonable efforts to ensure that individuals who do opt out 
are not sent future fundraising communications.
    Section 13406(b) of the HITECH Act requires the Secretary to 
provide by rule that a covered entity provide the recipient of any 
fundraising communication with a clear and conspicuous opportunity to 
opt out of receiving any further fundraising communications. 
Additionally, section 13406(b) states that if an individual does opt 
out of receiving further fundraising communications, the individual's 
choice to opt out must be treated as a revocation of authorization 
under Sec.  164.508 of the Privacy Rule.
    In the NPRM, we proposed a number of changes to the Privacy Rule's 
fundraising requirements to implement the statutory provisions. First, 
we proposed to strengthen the opt out by

[[Page 5619]]

requiring that a covered entity provide, with each fundraising 
communication sent to an individual under these provisions, a clear and 
conspicuous opportunity for the individual to elect not to receive 
further fundraising communications. To satisfy this requirement, we 
also proposed to require that the method for an individual to elect not 
to receive further fundraising communications may not cause the 
individual to incur an undue burden or more than nominal cost. We 
encouraged covered entities to consider the use of a toll-free phone 
number, an email address, or similar opt out mechanism that would 
provide individuals with a simple, quick, and inexpensive way to opt 
out of receiving future communications. We noted that we considered 
requiring individuals to write a letter to opt out to constitute an 
undue burden on the individual.
    We also proposed to provide that a covered entity may not condition 
treatment or payment on an individual's choice with respect to 
receiving fundraising communications. We believed this modification 
would implement the language in section 13406(b) of the HITECH Act that 
provides that an election by an individual not to receive further 
fundraising communications shall be treated as a revocation of 
authorization under the Privacy Rule.
    Further, we proposed to provide that a covered entity may not send 
fundraising communications to an individual who has elected not to 
receive such communications. This would strengthen the current 
requirement at Sec.  164.514(f)(2)(iii) that a covered entity make 
``reasonable efforts'' to ensure that those individuals who have opted 
out of receiving fundraising communications are not sent such 
communications. The NPRM proposed stronger language to make clear the 
expectation that covered entities abide by an individual's decision not 
to receive fundraising communications, as well as to make the 
fundraising opt out operate more like a revocation of authorization, 
consistent with the statutory language and legislative history of 
section 13406(b) of the HITECH Act discussed above.
    With respect to the operation of the opt out, we requested comment 
regarding to what fundraising communications the opt out should apply 
(i.e., should the opt out apply to all future fundraising 
communications or should and can the opt out be structured in a way to 
apply only to the particular fundraising campaign described in the 
letter). We also requested comment on whether the Rule should allow a 
similar method, short of the individual signing an authorization, by 
which an individual who has previously opted out can put his or her 
name back on an institution's fundraising list.
    We proposed to retain the requirement that a covered entity that 
intends to contact the individual to raise funds under these provisions 
include a statement to that effect in its notice of privacy practices. 
However, we proposed that the required statement also inform 
individuals that they have a right to opt out of receiving such 
communications.
    In addition to the above modifications, we requested public comment 
on the requirement at Sec.  164.514(f)(1) which limits the information 
a covered entity may use or disclose for fundraising to demographic 
information about and dates of health care service provided to an 
individual. Since the promulgation of the Privacy Rule, we acknowledged 
that certain covered entities have raised concerns regarding this 
limitation, maintaining that the Privacy Rule's prohibition on the use 
or disclosure of certain treatment information without an 
authorization, such as the department of service where care was 
received and outcomes information, impedes their ability to raise funds 
from often willing and grateful patients because they are unable to 
target their fundraising efforts and avoid inappropriate solicitations 
to individuals who may have had a bad treatment outcome. Such entities 
have argued that obtaining an individual's authorization for 
fundraising as the individual enters or leaves the hospital for 
treatment is often impracticable or inappropriate. The proposed rule 
also discussed the fact that the National Committee on Vital and Health 
Statistics held a hearing and heard public testimony on this issue in 
July 2004 and recommended to the Secretary that the Privacy Rule should 
allow covered entities to use or disclose information related to the 
patient's department of service (broad designations, such as surgery or 
oncology, but not narrower designations or information relating to 
diagnosis or treating physician) for fundraising activities without 
patient authorization. The National Committee on Vital and Health 
Statistics also recommended that a covered entity's notice of privacy 
practices inform patients that their department of service information 
may be used in fundraising, and that patients should be afforded the 
opportunity to opt out of the use of their department of service 
information for fundraising or all fundraising contacts altogether. See 
https://www.ncvhs.hhs.gov/040902lt1.htm.
    In light of these concerns and the prior recommendation of the 
National Committee on Vital and Health Statistics, we asked for public 
comment on whether and how the current restriction on what information 
may be used and disclosed should be modified to allow covered entities 
to more effectively target fundraising and avoid inappropriate 
solicitations to individuals, as well as to reduce the need to send 
solicitations to all patients. In particular, we solicited comment on: 
(1) Whether the Privacy Rule should allow additional categories of 
protected health information to be used or disclosed for fundraising, 
such as department of service or similar information, and if so, what 
those categories should be; (2) the adequacy of the minimum necessary 
standard to appropriately limit the amount of protected health 
information that may be used or disclosed for fundraising purposes; or 
(3) whether the current limitation should remain unchanged. We also 
solicited comment on whether, if additional information is permitted to 
be used or disclosed for fundraising absent an authorization, covered 
entities should be required to provide individuals with an opportunity 
to opt out of receiving any fundraising communications before making 
the first fundraising solicitation, in addition to the opportunity to 
opt out with every subsequent communication. We invited public comment 
on whether such a pre-solicitation opt out would be workable for 
covered entities and individuals and what mechanisms could be put into 
place to implement the requirement.
Overview of Public Comments
    In general, the public comments received in response to the NPRM 
were supportive of the proposed modifications but many asked that the 
final rule give covered entities flexibility with respect to 
operationalizing these requirements. Several commenters provided 
examples of routine communications and expressed the need for guidance 
and clarification about what constitutes a fundraising communication.
    Generally, most commenters supported the NPRM's proposed 
requirement that the method through which the covered entity permits 
individuals to opt out of receiving future fundraising communications 
not cause individuals to incur an undue burden or more than a nominal 
cost. Many commenters stated that the final rule should give covered 
entities the flexibility to determine which opt out

[[Page 5620]]

methods will work best given their circumstances, instead of requiring 
all covered entities to employ specific opt out methods. These 
commenters noted that depending on the size of the covered entity and 
type of population it serves, certain opt out methods might not be 
feasible, such as one that requires the establishment of a toll-free 
number, which may be cost prohibitive for some small entities. 
Similarly, some commenters noted that because not all individuals have 
access to a computer and the Internet, providing individuals with the 
opportunity to opt out via email alone may not be sufficient.
    With respect to the scope of the opt out, the commenters were 
generally split on whether the opt out should apply to communications 
related to a specific fundraising campaign or to all future fundraising 
communications. The commenters in support of applying the opt out to a 
specific fundraising campaign stated that it would be too difficult for 
individuals to make a meaningful decision about whether they wanted to 
opt out of all future fundraising communications, and allowing 
individuals to opt out of all futurefundraising communications would 
greatly hinder a covered entity's ability to raise funds. Those 
commenters in favor of implementing an all or nothing opt out stated 
that it would be too difficult for covered entities, especially large 
facilities, to track campaign-specific opt outs for each individual, so 
applying the opt out universally would make it much easier for covered 
entities to implement. Other commenters asked that the final rule take 
a flexible approach and permit covered entities to decide the scope of 
the opt out, while others stated that the final rule should require 
covered entities to include both opt out options on each fundraising 
communication leaving the decision to individuals.
    Additionally, while most commenters supported the prohibition on 
conditioning treatment or payment on an individual's choice regarding 
the receipt of fundraising communications, most commenters opposed the 
NPRM's proposal that prohibited covered entities from sending future 
fundraising communications to those individuals who had opted out and 
stated that it was too strict. The majority of these commenters 
suggested that the final rule retain the Privacy Rule's original 
``reasonable efforts'' language and stated that while covered entities 
have every incentive not to send fundraising communications to those 
individuals who have opted out of receiving them, it is very difficult 
for covered entities to ensure 100 percent accuracy with this policy. 
Several commenters stated that there are lag times between the period 
of time in which a fundraising mailing list is compiled and the time in 
which a fundraising communication is sent out, so if an individual has 
opted out during the interim time period, covered entities may not be 
able to prevent the prepared fundraising communication from being sent. 
Other commenters stated that it may be difficult to implement an opt 
out across all records belonging to that individual where 
complications, such as name changes and variation, address changes, and 
multiple addresses are involved.
    For those individuals who have opted out of receiving fundraising 
communications, commenters generally supported allowing those 
individuals to opt back in to receiving such communications. Some 
suggested that individuals be able to opt back in using the same 
methods they used to opt out, while others suggested that any 
communication indicating a willingness to resume receiving fundraising 
communications, such as making a donation to the covered entity, should 
function as an opt in. Other commenters suggested that the final rule 
limit the amount of time that an individual can opt out, such that 
after this period of time the individual automatically begins receiving 
fundraising communications again. A few commenters were opposed to 
permitting individuals to opt back in to receive fundraising 
communications, stating that this would be too costly and burdensome 
for covered entities to track.
    With respect to the requests for public comments regarding the 
potential use or disclosure of additional protected health information 
to provide more targeted fundraising communications, the vast majority 
of commenters supported allowing the use or disclosure of additional 
protected health information for fundraising. These commenters stated 
that the use of additional protected health information would 
streamline their fundraising efforts and ensure that individuals were 
sent communications about campaigns that would be meaningful to their 
experiences. These commenters also stated that it would eliminate the 
concern of sending a communication to an individual or family that 
suffered a negative outcome. Commenters suggested several categories of 
protected health information that covered entities should be able to 
use to target their fundraising efforts, including department or site 
of service, generic area of treatment, department where last seen, 
outcome information, treating physician, diagnosis, whether the 
individual was a pediatric or adult patient, medical record number, 
Social Security number, or other unique identifier, and any other 
information that reflects the fact that the individual was served by 
the covered entity.
    With respect to the minimum necessary standard, a few commenters 
supported its use to limit any additional categories of protected 
health information that can be used to target a covered entity's 
fundraising efforts. These commenters supported the use of the standard 
because of how familiar and comfortable most covered entities are at 
applying the minimum necessary standard. However, another commenter was 
opposed to the use of the minimum necessary standard, stating that it 
is not uniformly applied across covered entities.
    Despite the general support for the use of additional protected 
health information, a small minority of commenters opposed allowing the 
use of additional protected health information to target fundraising 
efforts, citing privacy concerns with doing so. One commenter opposed 
expanding the information that could be used for fundraising in cases 
where outside fundraising entities are used, including those with whom 
the covered entity has executed business associate agreements.
    All commenters were opposed to requiring covered entities to 
provide a pre-solicitation opt out to individuals and stated that 
permitting individuals to opt out in the first fundraising 
communication is sufficient. Several commenters noted that the proposed 
revision to the notice of privacy practices to require a covered entity 
to inform individuals of their right to opt out of receiving 
fundraising communications effectively functions as a pre-solicitation 
opt out, so individuals who wish to opt out of receiving such 
communications immediately can do so upon receipt of the notice.
Final Rule
    We generally adopt the proposals in the final rule, as well as 
allow certain additional types of protected health information to be 
used or disclosed for fundraising purposes.
    With respect to the commenters who expressed confusion over what 
constitutes a fundraising communication, we emphasize that the final 
rule does nothing to modify the types of communications that are 
currently considered to be for fundraising purposes. A communication to 
an individual that is made by a covered entity, an institutionally 
related foundation, or a business associate on behalf of the covered 
entity for the

[[Page 5621]]

purpose of raising funds for the covered entity is a fundraising 
communication for purposes of Sec.  164.514(f). The Department has 
stated that ``[p]ermissible fundraising activities include appeals for 
money, sponsorship of events, etc. They do not include royalties or 
remittances for the sale of products of third parties (except auctions, 
rummage sales, etc.).'' See 65 FR 82718. Additionally, the Privacy Rule 
has always required that such communications contain a description of 
how the individual may opt out of receiving further fundraising 
communications (Sec.  164.514(f)(2)(ii)).
    With respect to the proposed requirement that the method for an 
individual to elect not to receive further fundraising communications 
should not cause the individual to incur an undue burden or more than a 
nominal cost, we generally agree with the commenters who suggested that 
the final rule be flexible and not prescriptive. Under the final rule, 
covered entities are free to decide what methods individuals can use to 
opt out of receiving further fundraising communications, as long as the 
chosen methods do not impose an undue burden or more than a nominal 
cost on individuals. Covered entities should consider the use of a 
toll-free phone number, an email address, or similar opt out mechanisms 
that provide individuals with simple, quick, and inexpensive ways to 
opt out of receiving further fundraising communications. Covered 
entities may employ multiple opt out methods, allowing individuals to 
determine which opt out method is the simplest and most convenient for 
them, or a single method that is reasonably accessible to all 
individuals wishing to opt out.
    In response to commenters who expressed concern about the cost of 
setting up a toll-free phone number, we clarify that covered entities 
may require individuals who wish to opt out of further fundraising 
communications to do so through other methods, (e.g., through the use 
of a local phone number), where appropriate, as long as the method or 
methods adopted do not impose an undue burden or cost on the 
individual. We encourage covered entities to consider the size of the 
population to which they are sending the communications, the geographic 
distribution, and any other factors that may help determine which opt 
out method(s) is most appropriate and least burdensome to individuals.
    We continue to consider requiring individuals to write and send a 
letter to the covered entity asking not to receive further fundraising 
communications to constitute an undue burden. However, requiring that 
individuals opt out of further fundraising communications by simply 
mailing a pre-printed, pre-paid postcard would not constitute an undue 
burden under the final rule and is an appropriate alternative to the 
use of a phone number or email address.
    Regarding the scope of the opt out, the commenters were split on 
whether the opt out should apply to all future fundraising 
communications or to a specific fundraising campaign. The final rule 
leaves the scope of the opt out to the discretion of covered entities. 
For those covered entities that expressed concern about the ability to 
track campaign-specific opt outs, they have the discretion to apply the 
opt out to all future fundraising communications. Likewise, those 
covered entities that prefer, and have the ability to track, campaign-
specific opt outs are free to apply the opt out to specific fundraising 
campaigns only. Covered entities are also free to provide individuals 
with the choice of opting out of all future fundraising communications 
or just campaign-specific communications. Whatever method is employed, 
the communication should clearly inform individuals of their options 
and any consequences of electing to opt out of further fundraising 
communications.
    Despite the commenters who did not support the strengthened 
language in the NPRM prohibiting covered entities from sending further 
fundraising communications to those individuals who have already opted 
out, the final rule adopts this provision without modification. While 
many commenters supported the current ``reasonable efforts'' standard 
and cited several reasons that may make it difficult to attain the 
proposed standard, we adopt the proposed standard because it is 
consistent with the statute and more protective of an individual's 
right to elect not to receive further fundraising communications. For 
example, some commenters cited lag times between the creation of 
mailing lists and the receipt or update of opt out lists and difficulty 
in accurately identifying individuals on the fundraising lists due to 
name changes or variations and multiple addresses. These issues are 
common to the management of the medical or billing records and 
effectuating revocations of authorization, requests for access, and 
other general communications between the entity and the individual. We 
expect the same care and attention to the handling of protected health 
information in fundraising communications as is necessary for the 
proper handling of this information in all other health care operations 
performed by the covered entity. Covered entities voluntarily choosing 
to send fundraising communications to individuals must have data 
management systems and processes in place to timely track and flag 
those individuals who have opted out of receiving fundraising 
communications to ensure that they are not sent additional fundraising 
communications.
    The majority of commenters supported allowing a process for 
individuals who have opted out of receiving further fundraising 
communications to opt back in and the final rule at Sec.  
164.514(f)(2)(v) permits covered entities have one. Like the discretion 
given to covered entities regarding the methods through which an 
individual can opt out, the final rule gives covered entities the 
discretion to determine how individuals should be able to opt back in. 
For example, a covered entity could include as a part of a routine 
newsletter sent to all patients a phone number individuals can call to 
be put on a fundraising list.
    While some commenters suggested that opt outs should be time 
limited such that an individual automatically opts back in after a 
certain period of time, we do not believe that an individual's election 
not to receive further fundraising communications is something that 
should automatically lapse. Because the individual has actively chosen 
to opt out, only a similar active decision by the individual to opt 
back in will suffice. Additionally, where an individual who has opted 
out of fundraising communications makes a donation to a covered entity, 
it does not serve, absent a separate election to opt back in, to 
automatically add the individual back onto the mailing list for 
fundraising communications.
    The Privacy Rule currently permits covered entities to use or 
disclose only demographic information relating to the individual and 
dates of health care provided to the individual for fundraising 
communications. In response to several commenters who asked for 
clarification regarding the scope of demographic information, the final 
rule, at Sec.  164.514(f)(1)(i), clarifies that demographic information 
relating to an individual includes names, addresses, other contact 
information, age, gender, and dates of birth. Although much of this 
information was listed in the preamble to the 2000 final rule (65 FR 
82718) as being demographic information with respect to the fundraising 
provisions, we have added this information to the regulatory text for 
clarity. Additionally, we have included date of birth as demographic 
information, instead of merely age. We

[[Page 5622]]

believe that date of birth may be useful to covered entities because 
they are more likely to maintain a record of an individual's date of 
birth, rather than his or her static age. We also note that the 2000 
preamble identifies insurance status as falling within the category of 
demographic information. The final rule continues to allow covered 
entities to use or disclose information about an individual's health 
insurance status for fundraising purposes; however, we list this 
category of information separately in the regulatory text, as we do not 
believe this information truly constitutes demographic information.
    In addition to demographic information, health insurance status, 
and dates of health care provided to the individual (which is currently 
permitted under the Rule), this final rule also allows covered entities 
to use and disclose department of service information, treating 
physician information, and outcome information for fundraising 
purposes. These three categories of information were most frequently 
identified by commenters as the most needed for covered entities to 
further target fundraising communications to appropriate individuals. 
Although we do not define these terms, we clarify that department of 
service information includes information about the general department 
of treatment, such as cardiology, oncology, or pediatrics. 
Additionally, we clarify that outcome information includes information 
regarding the death of the patient or any sub-optimal result of 
treatment or services. In permitting its use for fundraising purposes, 
we intend for it to be used by the covered entity itself to screen and 
eliminate from fundraising solicitations those individuals experiencing 
a sub-optimum outcome, and for its disclosure to a business associate 
or institutionally related foundation only where such screening 
function is done by those parties. We also emphasize that as with any 
use or disclosure under the Privacy Rule, a covered entity must apply 
the minimum necessary standard at Sec.  164.502(b) to ensure that only 
the minimum amount of protected health information necessary to 
accomplish the intended purpose is used or disclosed.
    We adopt in the final rule the provision prohibiting the 
conditioning of treatment or payment on an individual's choice with 
respect to the receipt of fundraising communications. We also adopt at 
Sec.  164.520(b)(1)(iii)(A) the requirement that the notice of privacy 
practices inform individuals that a covered entity may contact them to 
raise funds for the covered entity and an individual has a right to opt 
out of receiving such communications. The final rule does not require 
covered entities to send pre-solicitation opt outs to individuals prior 
to the first fundraising communication. We believe that because the 
individual will be on notice of the opportunity to opt out of receiving 
fundraising communications through the notice of privacy practices and 
the first fundraising communication itself will contain a clear and 
conspicuous opportunity to opt out, there is no need to require covered 
entities to incur the additional burden and cost of sending pre-
solicitation opt outs.
    Under the Privacy Rule fundraising communications can take many 
forms, including communications made over the phone. Despite the fact 
that the HITECH Act refers only to written fundraising communications, 
because the Privacy Rule applies to communications made over the phone, 
we believe it would be counterintuitive to apply the strengthened opt 
out requirement to only written fundraising communications. Therefore, 
like fundraising communications made in writing, covered entities that 
make fundraising communications over the phone must clearly inform 
individuals that they have a right to opt out of further solicitations. 
Accordingly, to make clear that the opt out requirement applies to 
fundraising solicitations made over the phone, the final rule provides 
that the opt out requirement applies to each fundraising communication 
``made'' rather than ``sent'' to an individual.
    We also emphasize that the notice and opt out requirements for 
fundraising communications apply only where the covered entity is using 
or disclosing protected health information to target the fundraising 
communication. If the covered entity does not use protected health 
information to send fundraising materials, then the notice and opt out 
requirements do not apply. For example, if a covered entity uses a 
public directory to mail fundraising communications to all residents in 
a particular geographic service area, the notice and opt out 
requirements are not applicable.
Response to Other Public Comments
    Comment: A few commenters suggested that, to better protect an 
individual's privacy, particularly where sensitive health information 
may be used to target solicitations, the final rule should require an 
opt in process rather than an opt out process for consenting to 
fundraising communications.
    Response: We decline to require an opt in process. The HITECH Act 
did not replace the right to opt out of fundraising communications with 
an opt in process. Further, we continue to believe that the opt out 
process, particularly as it has been strengthened by the HITECH Act and 
this final rule, provides individuals with appropriate control over the 
use of their information for these purposes.
    Comment: One commenter asked that if an individual opts out of 
receiving further fundraising communications through a mailed 
communication, must the covered entity also remove the individual's 
name from the list through which the covered entity sends email 
fundraising communications, or must the individual opt out of receiving 
such email communications separately.
    Response: A covered entity may choose to provide individuals with 
the opportunity to select their preferred method for receiving 
fundraising communications. If an individual elects to opt out of 
future fundraising communications, then the opt out is effective for 
all forms of fundraising communications. Thus, the individual must be 
removed from all such lists.
8. Section 164.520--Notice of Privacy Practices for Protected Health 
Information
Proposed Rule
    Section 164.520 of the Privacy Rule sets out the requirements for 
most covered entities to have and distribute a notice of privacy 
practices (NPP). The NPP must describe the uses and disclosures of 
protected health information a covered entity is permitted to make, the 
covered entity's legal duties and privacy practices with respect to 
protected health information, and the individual's rights concerning 
protected health information.
    Section 164.520(b)(1)(ii) requires a covered entity to include 
separate statements about permitted uses and disclosures that the 
covered entity intends to make, including uses and disclosures for 
certain treatment, payment, or health care operations purposes. 
Further, Sec.  164.520(b)(1)(ii)(E) currently requires that the NPP 
contain a statement that any uses and disclosures other than those 
permitted by the Privacy Rule will be made only with the written 
authorization of the individual, and that the individual has the right 
to revoke an authorization pursuant to Sec.  164.508(b)(5).
    We proposed to amend Sec.  164.520(b)(1)(ii)(E) to require that the 
NPP describe the uses and disclosures of protected health information 
that

[[Page 5623]]

require an authorization under Sec.  164.508(a)(2) through (a)(4) 
(i.e., including a statement that most uses and disclosures of 
psychotherapy notes and of protected health information for marketing 
purposes and the sale of protected health information require an 
authorization), and provide that other uses and disclosures not 
described in the notice will be made only with the individual's 
authorization.
    Section 164.520(b)(1)(iii) requires a covered entity to include in 
its NPP separate statements about certain activities if the covered 
entity intends to engage in any of the activities. In particular, Sec.  
164.520(b)(1)(iii) requires a separate statement in the notice if the 
covered entity intends to contact the individual to provide appointment 
reminders or information about treatment alternatives or other health-
related benefits or services; to contact the individual to fundraise 
for the covered entity; or, with respect to a group health plan, to 
disclose protected health information to the plan sponsor.
    First, with respect to this provision, the NPRM proposed to modify 
Sec.  164.520(b)(1)(iii)(A) to align the required statement with the 
proposed modifications related to marketing and subsidized treatment 
communications. The provision would have required a covered health care 
provider that intends to send treatment communications to individuals 
and has received financial remuneration in exchange for making the 
communication to, in its NPP, notify individuals of this intention and 
to inform them that they can opt out of receiving such communications. 
Second, at Sec.  164.520(b)(1)(iii)(B) we proposed to require that if a 
covered entity intends to contact the individual to raise funds for the 
entity as permitted under Sec.  164.514(f)(1), the covered entity must 
not only inform the individual in the NPP of this intention but also 
must inform the individual that he or she has the right to opt out of 
receiving such communications.
    Section 164.520(b)(1)(iv) requires that the NPP contain statements 
regarding the rights of individuals with respect to their protected 
health information and a brief description of how individuals may 
exercise such rights. Section 164.520(b)(1)(iv)(A) currently requires a 
statement and a brief description addressing an individual's right to 
request restrictions on the uses and disclosures of protected health 
information pursuant to Sec.  164.522(a), including the fact that the 
covered entity is not required to agree to this request.
    The NPRM proposed to modify Sec.  164.520(b)(1)(iv)(A) to require a 
statement explaining that the covered entity is required to agree to a 
request to restrict disclosure of protected health information to a 
health plan if the disclosure is for payment or health care operations 
and pertains to a health care item or service for which the individual 
has paid out of pocket in full, as provided at Sec.  164.522(a)(1)(vi).
    Under Subpart D of Part 164, covered entities now have new breach 
notification obligations. We requested comment on whether the Privacy 
Rule should require a specific statement regarding this new legal duty 
and what particular aspects of this new duty would be important for 
individuals to be notified of in the NPP.
    The NPRM stated that modifications to Sec.  164.520 would represent 
material changes to covered entities' NPPs. Section 164.520(b)(3) 
requires that when there is a material change to the NPP, covered 
entities must promptly revise and distribute the NPP as outlined at 
Sec.  164.520(c). Section 164.520(c)(1)(i)(C) requires that health 
plans provide notice to individuals covered by the plan within 60 days 
of any material revision to the NPP. Because we acknowledged that 
revising and redistributing a NPP may be costly for health plans, we 
requested comment on ways to inform individuals of this change to 
privacy practices without unduly burdening health plans. We requested 
comment on options for informing individuals in a timely manner of this 
proposed or other material changes to the NPP. We also requested 
comment on this issue in the proposed changes to the Privacy Rule 
pursuant to the Genetic Information Nondiscrimination Act (GINA), as 
discussed below in Section VI. In particular, the Department requested 
comment on the following options: (1) Replace the 60-day requirement 
with a requirement for health plans to revise their NPPs and 
redistribute them (or at least notify members of the material change to 
the NPP and how to obtain the revised NPP) in their next annual mailing 
to members after a material revision to the NPP, such as at the 
beginning of the plan year or during the open enrollment period; (2) 
provide a specified delay or extension of the 60-day timeframe for 
health plans (3) retain the provision generally to require health plans 
to provide notice within 60 days of a material revision but provide 
that the Secretary will waive the 60-day timeframe in cases where the 
timing or substance of modifications to the Privacy Rule call for such 
a waiver; or (4) make no change and thus, require that health plans 
that perform underwriting provide notice to individuals within 60 days 
of the material change to the NPP that would be required by this 
proposed rule. The Department requested comment on these options, as 
well as any other options for informing individuals in a timely manner 
of material changes to the NPP.
    Section 164.520(c)(2)(iv) requires that when a health care provider 
with a direct treatment relationship with an individual revises the 
NPP, the health care provider must make the NPP available upon request 
on or after the effective date of the revision and must comply with the 
requirements of Sec.  164.520(c)(2)(iii) to have the NPP available at 
the delivery site and to post the notice in a clear and prominent 
location. We did not propose changes to these provisions because we did 
not believe these requirements to be overly burdensome but we requested 
comment on the issue.
Overview of Public Comments
    We received several comments expressing support for the proposed 
requirement that the NPP include a statement about the uses and 
disclosures that require authorization. However, other commenters 
opposed this requirement, arguing that because not all uses and 
disclosures will apply to every individual, the statement will cause 
confusion and unnecessary concern. Additionally, these commenters 
argued that the cost of listing all of the situations requiring 
authorization would be significant.
    We received several comments in support of the proposed requirement 
that the NPP include a specific statement about authorization for uses 
and disclosures of psychotherapy notes. Some of these commenters 
requested that the final rule require covered providers to describe in 
their NPPs their recordkeeping practices with regard to psychotherapy 
notes and how those practices affect what information can be used and 
disclosed. Several commenters argued that only covered entities that 
record psychotherapy notes should be required to include a statement 
about the authorization requirement for psychotherapy notes in their 
NPPs.
    We also received several comments expressing concern regarding the 
proposed requirement to include information in the NPP about the 
individual's right to opt out of receiving certain communications. 
These commenters argued that information notifying individuals that 
they could opt out of receiving further subsidized treatment or 
fundraising communications would provide little

[[Page 5624]]

value to individuals at a significant cost to covered entities. These 
commenters felt that including this information would be unnecessary 
because all subsidized treatment and fundraising communications 
themselves will include an opt-out mechanism, and as such, including 
the information in the NPP may cause unnecessary concern for consumers.
    We received one comment in support of the requirement to include in 
the NPP a statement about an individual's right to restrict certain 
uses and disclosures of protected health information if the individual 
pays for treatment or services out-of-pocket in full. We also received 
one comment suggesting that only health care providers should be 
required to include such a statement in their NPP.
    We received a number of comments supporting a requirement to 
include a statement in the NPP about the right to be notified following 
a breach of unsecured protected health information. One commenter 
suggested that explaining breach notification requirements in the NPP 
would help entities handle customer service issues that arise when 
customers become upset upon receipt of such a breach notification. 
However, a number of other commenters expressed opposition to this 
proposal due to concern that such a statement would cause unnecessary 
concern and fear among individuals who may believe that covered 
entities cannot appropriately secure their protected health 
information. Finally, we received one comment requesting that HHS 
specify the required elements of a breach notification statement for a 
NPP.
    We also received several comments arguing that the proposed changes 
should not constitute material changes to privacy practices requiring a 
new NPP, particularly where covered entities have already revised their 
NPPs to comply with the HITECH Act or State law requirements. Two 
additional commenters argued that each covered entity should determine 
whether a change is material or not, depending on its existing privacy 
practices.
    We received a number of comments regarding the appropriate timing 
and manner for distributing new NPPs. The majority of the comments 
received generally fell into three categories: (1) Support for a 
requirement to revise and distribute notices within 60 days of a 
material change; (2) a recommendation for HHS to require that covered 
entities promptly post a revised NPP on their Web site in conjunction 
with a requirement to send a notice of the change by mail within a 
specified period; and (3) a request for HHS to extend the compliance 
deadline and permit the distribution of the revised NPP through a 
quarterly newsletter, annual mailing, after 18 months of transition, or 
in a triennial mailing. In addition, many commenters supported 
electronic distribution of an NPP or a notice of material changes to 
the NPP.
    While not proposed, some commenters suggested eliminating or 
alternatives to the current requirements for health care providers with 
direct treatment relationships to hand the NPP to every individual 
patient and make a good faith attempt to obtain acknowledgement of 
receipt.
    A few commenters also expressed concern regarding the cost burden 
associated with revising and distributing a new NPP. One commenter 
argued that considerations of cost do not justify a delay in 
distributing a revised NPP.
Final Rule
    First, the final rule adopts the modification to Sec.  
164.520(b)(1)(ii)(E), which requires certain statements in the NPP 
regarding uses and disclosures that require authorization. We note 
that, contrary to some commenter concerns, the final rule does not 
require the NPP to include a list of all situations requiring 
authorization. Instead, the NPP must contain a statement indicating 
that most uses and disclosures of psychotherapy notes (where 
appropriate), uses and disclosures of protected health information for 
marketing purposes, and disclosures that constitute a sale of protected 
health information require authorization, as well as a statement that 
other uses and disclosures not described in the NPP will be made only 
with authorization from the individual.
    The final rule does not require the NPP to include a description of 
a covered entity's recordkeeping practices with respect to 
psychotherapy notes; however, covered entities are free to include such 
additional information in their NPP if they choose. Additionally, in 
response to requests by some commenters, we clarify that covered 
entities that do not record or maintain psychotherapy notes are not 
required to include a statement in their NPPs about the authorization 
requirement for uses and disclosures of psychotherapy notes.
    Second, because the final rule treats all subsidized treatment 
communications as marketing communications, we have not adopted the 
proposal to require a statement in the NPP about such communications 
and the ability of an individual to opt out. For further discussion on 
the decision to treat all subsidized treatment communications as 
marketing communications requiring an authorization, please see the 
above discussion regarding Sec.  164.501.
    The final rule, however, adopts the proposed requirement for a 
statement in the NPP regarding fundraising communications and an 
individual's right to opt out of receiving such communications, if a 
covered entity intends to contact an individual to raise funds for the 
covered entity. Because individuals will be provided the opportunity to 
opt out of fundraising communications with each solicitation, the final 
rule does not require the NPP to include the mechanism for individuals 
to opt out of receiving fundraising communications, although covered 
entities are free to include such information if they choose to do so.
    The final rule also adopts the proposal that the NPP inform 
individuals of their new right to restrict certain disclosures of 
protected health information to a health plan where the individual pays 
out of pocket in full for the health care item or service. Only health 
care providers are required to include such a statement in the NPP; 
other covered entities may retain the existing language indicating that 
a covered entity is not required to agree to a requested restriction.
    The final rule also requires covered entities to include in their 
NPP a statement of the right of affected individuals to be notified 
following a breach of unsecured protected health information. We 
believe that individuals should be informed of their right to receive 
and the obligations of covered entities to provide notification 
following a breach. We disagree with the commenters who argued that 
such a statement would cause individuals unnecessary concern and would 
create unfounded fear that covered entities cannot appropriately secure 
protected health information. Such advance notice of their rights 
should provide helpful context for individuals should they later 
receive a breach notification. In response to comments, we also clarify 
that a simple statement in the NPP that an individual has a right to or 
will receive notifications of breaches of his or her unsecured 
protected health information will suffice for purposes of this 
requirement. We do not intend for this requirement to add undue 
complexity or length to a covered entity's NPP. Thus, the statement 
need not be entity-specific, such as by describing how the covered 
entity will conduct a risk assessment, include the regulatory 
descriptions of ``breach'' or ``unsecured PHI,'' or describe the types

[[Page 5625]]

of information to be provided in the actual breach notification to the 
individual. However, covered entities that wish to include additional 
or more detailed information may do so.
    These changes represent material changes to the NPP of covered 
entities. We disagree with the few commenters who argued that such 
modifications to Sec.  164.520 do not constitute material changes of 
privacy practices requiring the distribution of new NPPs. The 
modifications to Sec.  164.520 are significant and are important to 
ensure that individuals are aware of the HITECH Act changes that affect 
privacy protections and individual rights regarding protected health 
information.
    Section 164.520(c)(1) of the final rule requires a health plan that 
currently posts its NPP on its Web site in accordance with Sec.  
164.520(c)(3)(i) to: (1) Prominently post the material change or its 
revised notice on its web site by the effective date of the material 
change to the notice (e.g., the compliance date of this final rule) and 
(2) provide the revised notice, or information about the material 
change and how to obtain the revised notice, in its next annual mailing 
to individuals then covered by the plan, such as at the beginning of 
the plan year or during the open enrollment period. Health plans that 
do not have customer service web sites are required to provide the 
revised NPP, or information about the material change and how to obtain 
the revised notice, to individuals covered by the plan within 60 days 
of the material revision to the notice. These requirements apply to all 
material changes including, where applicable, the rule change adopted 
pursuant to GINA to prohibit most health plans from using or disclosing 
genetic information for underwriting purposes.
    We believe these distribution requirements best balance the right 
of individuals to be informed of their privacy rights with the burden 
on health plans to provide the revised NPP. We also note that health 
plans should provide both paper- and web-based notices in a way 
accessible to all beneficiaries, including those individuals with 
disabilities. These modifications provide an avenue for an individual 
to be informed of material changes upon their effective date while 
better aligning the NPP distribution with health plans' normal mailings 
to individuals.
    For health care providers, the final rule does not modify the 
current requirements to distribute revisions to the NPP. As such, Sec.  
164.520(c)(2)(iv) requires that when a health care provider with a 
direct treatment relationship with an individual revises the NPP, the 
health care provider must make the NPP available upon request on or 
after the effective date of the revision and must comply with the 
requirements of Sec.  164.520(c)(2)(iii) to have the NPP available at 
the delivery site and to post the notice in a clear and prominent 
location. In response to several comments expressing concern about 
printing costs for new NPPs, we clarify that providers are not required 
to print and hand out a revised NPP to all individuals seeking 
treatment; providers must post the revised NPP in a clear and prominent 
location and have copies of the NPP at the delivery site for 
individuals to request to take with them. Providers are only required 
to give a copy of the NPP to, and obtain a good faith acknowledgment of 
receipt from, new patients. As a result, we do not believe that the 
current requirement is overly burdensome to providers, nor is it overly 
costly. We also clarify that while health care providers are required 
to post the NPP in a clear and prominent location at the delivery site, 
providers may post a summary of the notice in such a location as long 
as the full notice is immediately available (such as on a table 
directly under the posted summary) for individuals to pick up without 
any additional burden on their part. It would not be appropriate, 
however, to require the individual to have to ask the receptionist for 
a copy of the full NPP.
    To the extent that some covered entities have already revised their 
NPPs in response to the enactment of the HITECH Act or State law 
requirements, we clarify that as long as a covered entity's current NPP 
is consistent with this final rule and individuals have been informed 
of all material revisions made to the NPP, the covered entity is not 
required to revise and distribute another NPP upon publication of this 
final rule. Finally, we note that to the extent a covered entity is 
required to comply with Section 504 of the Rehabilitation Act of 1973 
or the Americans with Disabilities Act of 1990, the covered entity has 
an obligation to take steps that may be necessary to ensure effective 
communication with individuals with disabilities, which could include 
making the revised NPP or notice of material changes to the NPP 
available in alternate formats, such as Braille, large print, or audio.
Response to Other Public Comments
    Comment: One commenter expressed concern about the addition of more 
information to the NPP when it is already very long and complex, while 
several commenters recommended that the final rule require NPPs to be 
shortened, simplified, and written in a clear, easily understandable 
manner. In addition, while a few commenters suggested that HHS provide 
a sample or standard NPP, many more commenters requested flexibility in 
developing the content of their respective NPPs.
    Response: We believe that the additions to the NPP required by the 
final rule are necessary to fully inform individuals of the covered 
entity's privacy practices and their rights. The NPP should be provided 
in a clear, concise, and easy to understand manner, and we clarify that 
covered entities may use a ``layered notice'' to implement the Rule's 
provisions, so long as the elements required at Sec.  164.520(b) are 
included in the document that is provided for the individual. For 
example, a covered entity may satisfy the NPP provisions by providing 
the individual with both a short notice that briefly summarizes the 
individual's rights, as well as other information, and a longer notice, 
layered beneath the short notice that contains all the elements 
required by the Rule. Additionally, the Privacy Rule requires that the 
NPP be written in plain language, and we note that some covered 
entities may have obligations under other laws with respect to their 
communication with affected individuals. For example, to the extent a 
covered entity is obligated to comply with Title VI of the Civil Rights 
Act of 1964, the covered entity must take reasonable steps to ensure 
meaningful access for Limited English Proficient persons to the 
services of the covered entity, which could include translating the NPP 
into frequently encountered languages. In addition, we agree with the 
commenters who suggested that covered entities have flexibility and 
discretion to determine how to draft and prepare their NPPs. Because 
each NPP will vary based on the functions of the individual covered 
entity, there is no ``one size fits all'' approach. However, we 
continue to explore options for making model or best practice language 
available.
    Comment: One commenter requested elimination of the requirement 
that covered entities obtain agreement from individuals (an opt in) 
before electronic distribution while another commenter requested that 
HHS clarify that a covered entity may obtain an electronic agreement 
from an individual to receive an NPP electronically.
    Response: The Privacy Rule permits covered entities to distribute 
their NPPs or notices of material changes by email, provided the 
individual has agreed to receive an electronic copy. Although

[[Page 5626]]

internet access is a convenience of daily life for many individuals, 
maintaining the opt-in requirement ensures that individuals who are not 
able to or choose not to receive information electronically are fully 
informed of how their protected health information is being used and 
disclosed and of their individual rights with respect to this 
information. We clarify that agreement to receive electronic notice can 
be obtained electronically pursuant to the requirements at Sec.  
164.520(c)(3).
9. Section 164.522(a)--Right To Request a Restriction of Uses and 
Disclosures
    Section 164.522(a) of the Privacy Rule requires covered entities to 
permit individuals to request that a covered entity restrict uses or 
disclosures of their protected health information for treatment, 
payment, and health care operations purposes, as well as for 
disclosures to family members and certain others permitted under Sec.  
164.510(b). While covered entities are not required to agree to such 
requests for restrictions, if a covered entity does agree to restrict 
the use or disclosure of an individual's protected health information, 
the covered entity must abide by that restriction, except in emergency 
circumstances when the information is required for the treatment of the 
individual. Section 164.522 also includes provisions for the 
termination of such a restriction and requires that covered entities 
that have agreed to a restriction document the restriction in writing.
Proposed Rule
    Section 13405(a) of the HITECH Act sets forth certain circumstances 
in which a covered entity now must comply with an individual's request 
for restriction of disclosure of his or her protected health 
information. Specifically, section 13405(a) of the HITECH Act requires 
that when an individual requests a restriction on disclosure pursuant 
to Sec.  164.522, the covered entity must agree to the requested 
restriction unless the disclosure is otherwise required by law, if the 
request for restriction is on disclosures of protected health 
information to a health plan for the purpose of carrying out payment or 
health care operations and if the restriction applies to protected 
health information that pertains solely to a health care item or 
service for which the health care provider has been paid out of pocket 
in full.
    To implement section 13405(a) of the HITECH Act, we proposed a 
number of changes to the Privacy Rule's provisions regarding an 
individual's right to request restrictions of certain uses and 
disclosures. First, we proposed at Sec.  164.522(a)(1)(vi) to require a 
covered entity to agree to a request by an individual to restrict the 
disclosure of protected health information about the individual to a 
health plan if: (A) the disclosure is for the purposes of carrying out 
payment or health care operations and is not otherwise required by law; 
and (B) the protected health information pertains solely to a health 
care item or service for which the individual, or person on behalf of 
the individual other than the health plan, has paid the covered entity 
in full. In recognition that there are many situations in which family 
members or other persons may pay for the individual's treatment, we 
proposed to include language to the provision to ensure that this 
requirement not be limited to solely the individual paying for the 
health care item or service but would also include payment made by 
another person, other than the health plan, on behalf of the 
individual.
    We proposed to modify Sec.  164.522(a)(1)(ii), which states that a 
covered entity is not required to agree to a restriction, to refer to 
this exception to that general rule. We noted in the NPRM that in cases 
where an individual has exercised his or her right to restrict 
disclosure to a health plan under the above circumstances, the covered 
entity is also prohibited from making such disclosures to a business 
associate of the health plan, because a covered entity may only 
disclose protected health information to a business associate of 
another covered entity if the disclosure would be permitted directly to 
the other covered entity. We also proposed conforming modifications to 
Sec.  164.522(a)(2) and (3) regarding terminating restrictions and 
documentation of restrictions to reflect these new requirements, and to 
make clear that, unlike other agreed to restrictions, a covered entity 
may not unilaterally terminate a required restriction to a health plan 
under Sec.  164.522(a)(1)(ii).
    We provided a number of clarifications, and solicited public 
comment on a number of issues, regarding these proposed provisions, as 
follows. We stated that we interpret section 13405(a) as giving the 
individual a right to determine for which health care items or services 
the individual wishes to pay out of pocket and restrict. Thus, section 
13405(a) would not permit a covered entity to require individuals who 
wish to restrict disclosures about only certain health care items or 
services to a health plan to restrict disclosures of protected health 
information regarding all health care to the health plan. We requested 
comment on the types of treatment interactions between individuals and 
covered entities that would make implementing a restriction more 
difficult and ways to address such difficult situations, such as where 
an individual wishes to restrict a disclosure regarding a prescription 
to a health plan but because the provider electronically sends 
prescriptions to the pharmacy to be filled, the pharmacy may have 
already billed the health plan by the time the patient arrives at the 
pharmacy. We requested comment generally on whether covered health care 
providers that know of a restriction should inform other health care 
providers downstream of such restriction, including pharmacies, and 
whether technology could facilitate such notification. We requested 
comment on examples of the types of disclosures that may fall under 
this ``required by law'' exception. With respect to an individual, or 
someone on behalf of the individual, paying out of pocket for the 
health care item or service, we noted that the individual should not 
expect that this payment would count towards the individual's out of 
pocket threshold with respect to his or her health plan benefits. We 
requested comment on how this provision will function with respect to 
HMOs, given our understanding that under most current HMO contracts 
with providers an individual could not pay the provider in full for the 
treatment or service received. We clarified in the NPRM that if an 
individual's out of pocket payment for a health care item or service is 
not honored (e.g., the individual's check bounces), the covered entity 
is not obligated to continue to abide by the requested restriction 
because the individual has not fulfilled the requirements necessary to 
obtain the restriction. Additionally, we stated our expectation in such 
cases that covered entities make some attempt to resolve any payment 
issues with the individual prior to sending the protected health 
information to the health plan, such as by notifying the individual 
that his or her payment did not go through and giving the individual an 
opportunity to submit payment and requesting comment on the extent to 
which covered entities must make reasonable efforts to secure payment 
from the individual prior to billing the health plan. We requested 
comment on the scope of a restriction and in what circumstances it 
should apply to a subsequent, but related, treatment

[[Page 5627]]

encounter, such as follow-up care for treatment of a particular 
condition.
Overview of Public Comments
    We received many comments on these proposed provisions and our 
questions as to how they should apply. A number of commenters generally 
supported the provisions as being an important right for health care 
consumers. However, many commenters expressed concerns with these new 
requirements. Many commenters raised concerns with, and requested 
guidance on, how to operationalize a restriction. Several commenters 
were concerned with having to create separate records to ensure that 
restricted data is not inadvertently sent to or accessible by the 
health plan or to manually redact information from the medical record 
prior to disclosure to a health plan. Commenters argued that having to 
segregate restricted and unrestricted information or redact restricted 
information prior to disclosure would be burdensome as such a process 
would generally have to occur manually, and may result in difficulties 
with ensuring that treating providers continue to have access to the 
entire medical record. Some commenters were concerned specifically with 
having to manually redact or create separate records prior to a health 
plan audit, or otherwise with withholding information from a plan 
during an audit, to ensure a health plan would not see restricted 
information.
    With respect to the exception to a restriction for disclosures that 
are required by law, several commenters supported this exception but 
requested clarification on how such an exception would affect 
providers' existing legal obligations. Many commenters suggested that 
providers would be prohibited from receiving cash payment from 
individuals for items or services otherwise covered by State or 
Federally funded programs, such as Medicare and Medicaid, and thus, 
requested that disclosures to such State or Federally funded programs 
not be eligible for restriction. Similarly, some commenters sought 
clarification on the effect of this provision where certain State laws 
prohibit ``balance billing,'' making it illegal for the provider to 
bill the patient for any covered services over and above any 
permissible copayment, coinsurance or deductible amounts. Some 
commenters asked that we clarify that the ``required by law'' exception 
allows providers to disclose protected health information subject to a 
restriction for Medicare and Medicaid audits, because those insurers 
require complete, accurate records for audits.
    Other commenters were concerned with applying a restriction to only 
certain health care items or services provided during a single patient 
encounter or visit. Commenters argued that split billing is not 
possible for most providers or that it may be obvious to a health plan 
if one item or service out of a bundle is restricted and that 
unbundling services may be costly. One commenter suggested that 
individuals should only be able to restrict certain types of services/
treatment (e.g., cosmetic surgery and family planning services) as such 
services are more easily segregable from other health care services.
    In response to our question regarding available electronic methods 
through which a prescribing provider could alert a pharmacy that an 
individual intends to pay out of pocket for a prescription and restrict 
disclosure to a health plan, commenters indicated they were generally 
unaware of any system that would alert a pharmacy of restrictions 
electronically, and many agreed that the cost and burden of flagging 
records manually would not be feasible for all covered entities. In 
general, commenters agreed that paper prescriptions would provide 
individuals with an opportunity to request a restriction when they 
arrive at the pharmacy. However, commenters also noted that returning 
to the use of paper prescriptions over electronic prescribing would be 
a step in the wrong direction, as there are many benefits to electronic 
prescribing, and it is important not to limit these benefits.
    Almost all of the comments we received regarding the obligation 
generally of health care providers that know of a restriction to inform 
downstream health care providers of the restriction argued that it 
should be the individual's and not the provider's responsibility to 
inform downstream providers of any requested restriction. While a few 
commenters stated that the provider should bear this responsibility, 
the majority believed that this obligation would be difficult and 
burdensome for a provider. Some commenters acknowledged that in time, 
more advanced electronic and automated systems may allow providers to 
notify other providers downstream of a restriction, but these 
commenters stressed that such systems are not widely available at this 
time.
    With respect to the requirement's application to health care 
providers providing care within an HMO context, many commenters 
expressed support for the suggestion that HMO patients would have to 
use an out-of-network provider for treatment to ensure that the 
restricted information would not be disclosed to the HMO. Some 
commenters indicated that State laws and/or provider contracts with an 
HMO may prohibit the provider from receiving a cash payment from an HMO 
patient above the patient's cost-sharing amount for the health care 
item or service. Conversely, some commenters stated that individuals 
should not have to go out-of-network when requesting a restriction and 
instead, providers could and should treat the services as non-covered 
services and accept payment directly from the patient. Several 
commenters also suggested that managed care contracts would have to be 
revised or renegotiated in order to comply with this provision and as 
such, ample time for renegotiation should be provided.
    Commenters generally supported the language in the proposed rule 
making clear that a restriction would apply where an individual 
requests a restriction, but someone other than the individual (other 
than the health plan), such as a family member, pays for the 
individual's care on behalf of the individual. One commenter asked for 
clarification that payment by any health plan would not constitute 
payment out of pocket by the individual. The commenter stated that such 
clarification was necessary to avoid the situation where an individual 
has coverage under multiple plans, pays for care with a secondary plan, 
requests a restriction on disclosure to the primary plan, and then the 
secondary plan proceeds to obtain reimbursement from the primary plan 
disclosing the protected health information at issue. Another commenter 
asked that we clarify that a clinical research participant whose health 
care services are paid for by a research grant can still qualify for a 
restriction to the individual's health plan.
    Most commenters supported not having to abide by a requested 
restriction in cases where the individual's method of payment is 
returned or otherwise does not go through. A few commenters suggested 
that a covered entity should include information to this effect in its 
notice of privacy practices. A number of commenters expressed concern 
with the ability of a provider to bill a health plan for services 
following an individual's inability to pay. For example, a provider may 
find it difficult to be reimbursed for services if the provider did not 
obtain the plan's required pre-certification for services because the 
individual initially agreed to pay out of pocket for the services.
    Several commenters asked for guidance on what constitutes a

[[Page 5628]]

``reasonable effort'' to obtain payment from an individual prior to 
billing a health plan for health care services where an individual's 
original form of payment fails, and argued that the effort required 
should not be too burdensome on providers. A number of commenters 
suggested various alternatives. A few commenters suggested that 
providers should be able to set a deadline for payment and then bill 
the plan if the patient fails to pay; others requested that the 
regulation set a specific timeframe in which providers must be paid or 
the requested restriction is terminated. Some commenters suggested that 
a ``reasonable effort'' should be based upon a covered entity making 
one or two attempts to contact the patient and obtain payment. Another 
commenter recommended that reasonable efforts should require the 
provider to make a good faith effort to obtain payment based on their 
usual debt collection practices. Other commenters requested 
clarification that reasonable efforts would not require a provider 
sending a bill to a collection agency. Some commenters were generally 
concerned with requiring a provider to wait too long for payment, as 
the provider could risk the plan not paying for the treatment if it is 
billed too late. Certain commenters argued that providers should not 
have to engage in any attempts to resolve payment issues if an 
individual's payment fails prior to billing the health plan for the 
services. Finally, a number of commenters asked whether a provider 
could require payment in full at the time of the request for a 
restriction to avoid payment issues altogether.
    Finally, many commenters responded to the NPRM's approach to 
follow-up care. The majority of commenters supported the idea that if 
an individual does not request a restriction and pay out of pocket for 
follow up care, then the covered entity may disclose the protected 
health information necessary to obtain payment from the health plan for 
such follow up care, recognizing that some of the protected health 
information may relate to and/or indicate that the individual received 
the underlying health care item or service to which a restriction 
applied. A few commenters asked whether individual authorization would 
be required to disclose previously restricted protected health 
information to a health plan if the individual does not want to 
restrict the follow up care. A number of commenters expressed support 
for providers counseling patients on the consequences of not 
restricting follow-up care. A few commenters were concerned as to how a 
provider would know when such counseling was needed and what it should 
include, and asked whether giving the individual a written statement 
explaining the consequences would suffice.
Final Rule
    We adopt the modifications to Sec.  164.522 as proposed in the NPRM 
to implement section 13405(a) of the HITECH Act. In response to 
questions and comments regarding how to operationalize these 
requirements, we provide the following clarifications. We clarify that 
these provisions do not require that covered health care providers 
create separate medical records or otherwise segregate protected health 
information subject to a restricted health care item or service. 
Covered health care providers will, however, need to employ some method 
to flag or make a notation in the record with respect to the protected 
health information that has been restricted to ensure that such 
information is not inadvertently sent to or made accessible to the 
health plan for payment or health care operations purposes, such as 
audits by the health plan. Covered entities should already have in 
place, and thus be familiar with applying, minimum necessary policies 
and procedures, which require limiting the protected health information 
disclosed to a health plan to the amount reasonably necessary to 
achieve the purpose of the disclosure. Thus, covered entities should 
already have mechanisms in place to appropriately limit the protected 
health information that is disclosed to a health plan.
    With respect to commenters who were concerned about providers being 
able to continue to meet their legal obligations, such as disclosing 
protected health information to Medicare or Medicaid for required 
audits, we note that the statute and final rule continue to allow 
disclosures that are otherwise required by law, notwithstanding that an 
individual has requested a restriction on such disclosures. Thus, a 
covered entity may disclose the protected health information necessary 
to meet the requirements of the law. Under the Privacy Rule, ``required 
by law'' is defined at Sec.  164.103 as a mandate contained in law that 
compels a covered entity to make a use or disclosure of protected 
health information and that is enforceable in a court of law. For 
purposes of this definition, ``required by law'' includes Medicare 
conditions of participation with respect to health care providers 
participating in the program, and statutes and regulations that require 
the production of information if payment is sought under a government 
program providing public benefits. Therefore, if a covered entity is 
required by law to submit protected health information to a Federal 
health plan, it may continue to do so as necessary to comply with that 
legal mandate. With respect to commenters' concerns with prohibitions 
in State law and under Medicare and Medicaid that prevent providers 
from billing, and receiving cash payment from, an individual for 
covered services over and above any permissible cost sharing amounts, 
we provide the following guidance. If a provider is required by State 
or other law to submit a claim to a health plan for a covered service 
provided to the individual, and there is no exception or procedure for 
individuals wishing to pay out of pocket for the service, then the 
disclosure is required by law and is an exception to an individual's 
right to request a restriction to the health plan pursuant to Sec.  
154.522(a)(1)(vi)(A) of the Rule. With respect to Medicare, it is our 
understanding that when a physician or supplier furnishes a service 
that is covered by Medicare, then it is subject to the mandatory claim 
submission provisions of section 1848(g)(4) of the Social Security Act 
(the Act), which requires that if a physician or supplier charges or 
attempts to charge a beneficiary any remuneration for a service that is 
covered by Medicare, then the physician or supplier must submit a claim 
to Medicare. However, there is an exception to this rule where a 
beneficiary (or the beneficiary's legal representative) refuses, of 
his/her own free will, to authorize the submission of a bill to 
Medicare. In such cases, a Medicare provider is not required to submit 
a claim to Medicare for the covered service and may accept an out of 
pocket payment for the service from the beneficiary. The limits on what 
the provider may collect from the beneficiary continue to apply to 
charges for the covered service, notwithstanding the absence of a claim 
to Medicare. See the Medicare Benefit Policy Manual, Internet only 
Manual pub. 100-2, ch. 15, sect. 40, available at https://www.cms.gov/manuals/Downloads/bp102c15.pdf. Thus, if a Medicare beneficiary 
requests a restriction on the disclosure of protected health 
information to Medicare for a covered service and pays out of pocket 
for the service (i.e., refuses to authorize the submission of a bill to 
Medicare for the service), the provider must restrict the disclosure of 
protected health information regarding the service to Medicare in 
accordance with Sec.  164.522(a)(1)(vi).

[[Page 5629]]

    Certain commenters raised concerns with an individual requesting a 
restriction with respect to only one of several health care items or 
services provided in a single patient encounter, and a provider being 
prohibited from unbundling, or it being more costly to unbundle, the 
services for purposes of billing a health plan. In such cases, we 
expect providers to counsel patients on the ability of the provider to 
unbundle the items or services and the impact of doing so (e.g., the 
health plan still may be able to determine that the restricted item or 
service was performed based on the context). If a provider is able to 
unbundle the items or services and accommodate the individual's wishes 
after counseling the individual on the impact of unbundling, it should 
do so. If a provider is not able to unbundle a group of items or 
services, the provider should inform the individual and give the 
individual the opportunity to restrict and pay out of pocket for the 
entire bundle of items or services. Where a provider is not able to 
unbundle a group of bundled items or services, we view such group of 
bundled items or services as one item or service for the purpose of 
applying Sec.  164.522(a)(1)(v). However, we would expect a provider to 
accommodate an individual's request for a restriction for separable and 
unbundled health care items or services, even if part of the same 
treatment encounter, such as in the prior example with respect to the 
patient receiving both treatment for asthma and diabetes. Thus, we 
decline to provide as a general rule that an individual may only 
restrict either all or none of the health care items or services that 
are part of one treatment encounter.
    In response to the question we posed in the NPRM regarding methods 
through which a provider could electronically (such as through an e-
prescribing tool) notify a pharmacist of an individual's restriction 
request, the majority of commenters indicated that there currently is 
not a widely available method for electronically notifying a pharmacy 
that a patient has requested a restriction. Further, commenters 
generally argued that it would be costly, burdensome, and unworkable 
for a provider to attempt to notify all subsequent providers of an 
individual's restriction request, particularly given the lack of 
automated tools to make such notifications, and thus, it should remain 
the obligation of the individual to notify downstream providers if the 
individual wants to restrict protected health information to a health 
plan. We agree that it would be unworkable at this point, given the 
lack of automated technologies to support such a requirement, to 
require health care providers to notify downstream providers of the 
fact that an individual has requested a restriction to a health plan. 
However, we do encourage providers to counsel patients that they would 
need to request a restriction and pay out of pocket with other 
providers for the restriction to apply to the disclosures by such 
providers. In the case of an individual who wants to restrict 
disclosures to a health plan concerning a prescribed medication, the 
prescribing provider can provide the patient with a paper prescription 
to allow the individual an opportunity to request a restriction and pay 
for the prescription with the pharmacy before the pharmacy has 
submitted a bill to the health plan. However, while we do not require 
it, providers are permitted and encouraged to assist individuals as 
feasible in alerting downstream providers of the individual's desire to 
request a restriction and pay out of pocket for a particular health 
care item or service.
    For example, consider an individual who is meeting with her primary 
physician and requests a restriction on tests that are being 
administered to determine if she has a heart condition. If, after 
conducting the tests, the patient's primary physician refers the 
patient to a cardiologist, it is the patient's obligation to request a 
restriction from the subsequent provider, the cardiologist, if she 
wishes to pay out of pocket rather than have her health plan billed for 
the visit. Although the primary physician in this example would not be 
required to alert the cardiologist of the patient's potential desire to 
request a restriction, we encourage providers to do so if feasible or 
in the very least, to engage in a dialogue with the patient to ensure 
that he or she is aware that it is the patient's obligation to request 
restrictions from subsequent providers. In response to commenters who 
were confused about whether the individual or the provider would have 
the obligation of notifying subsequent providers when a Health 
Information Exchange is involved, we clarify that the responsibility to 
notify downstream providers of a restriction request in this situation 
also remains with the individual, and not the provider.
    With respect to HMOs, we clarify that a provider providing care in 
such a setting should abide by an individual's requested restriction 
unless doing so would be inconsistent with State or other law. Thus, if 
a provider within an HMO is prohibited by law from accepting payment 
from an individual above the individual's cost-sharing amount (i.e., 
the provider cannot accept an out of pocket payment from the individual 
for the service), then the provider may counsel the individual that he 
or she will have to use an out-of-network provider for the health care 
item or service in order to restrict the disclosure of protected health 
information to the HMO for the health care. Providers operating within 
an HMO context and who are able under law to treat the health care 
services to which the restriction would apply as out-of-network 
services should do so in order to abide by the requested restriction. 
We would not consider a contractual requirement to submit a claim or 
otherwise disclose protected health information to an HMO to exempt the 
provider from his or her obligations under this provision. Further, the 
final rule provides a 180-day compliance period beyond the effective 
date of these revisions to the Privacy Rule, during which provider 
contracts with HMOs can be updated as needed to be consistent with 
these new requirements.
    As proposed in the NPRM, under the final rule, a covered entity 
must apply a restriction not only where an individual pays in full for 
the healthcare item or service, but also where a family member or other 
person pays for the item or service on behalf of the individual. We 
decline to modify the regulation, as suggested by one commenter, to 
provide that payment from ``any'' health plan, rather than the one to 
which the disclosure is restricted, should not constitute payment on 
behalf of the individual. In response to the commenter's concern about 
difficulties in coordination of benefits for individuals with coverage 
under multiple plans, we note that this provision does not impede a 
health plan's ability to disclose protected health information as 
necessary to another health plan for coordination of benefits. Thus, 
health plans may continue to make such disclosures.
    Many commenters supported the discussion in the NPRM regarding not 
abiding by a restriction if an individual's payment is dishonored. In 
such cases, we continue to expect that providers will make a reasonable 
effort to contact the individual and obtain payment prior to billing a 
health plan. We do not prescribe the efforts a health care provider 
must make but leave that up to the provider's policies and individual 
circumstances. While we require the provider to make a reasonable 
effort to secure payment from the individual, this requirement is not 
intended to place an additional

[[Page 5630]]

burden on the provider but is instead intended to align with its 
current policies for contacting individuals to obtain an alternative 
form of payment to one that was dishonored. We do not require that the 
individual's debt be placed in collection before a provider is 
permitted to bill a health plan for the health care services. Further, 
a provider may choose to require payment in full at the time of the 
request for a restriction to avoid payment issues altogether. 
Similarly, where precertification is required for a health plan to pay 
for services, a provider may require the individual to settle payments 
for the care prior to providing the service and implementing a 
restriction to avoid the situation where the provider is unable to be 
reimbursed by either the individual or the health plan.
    We also recognize that a provider may not be able to implement a 
restriction where an individual waits until care has been initiated to 
make such a request, such as in the case of a hospital stay, in which 
case the individual's protected health information may have already 
been disclosed to the health plan.
    With respect to restrictions and follow-up care, we continue to 
maintain the approach discussed in the NPRM. If an individual has a 
restriction in place with respect to a health care service but does not 
pay out of pocket and request a restriction with regard to follow-up 
treatment, and the provider needs to include information that was 
previously restricted in the bill to the health plan in order to have 
the service deemed medically necessary or appropriate, then the 
provider is permitted to disclose such information so long as doing so 
is consistent with the provider's minimum necessary policies and 
procedures. We also clarify that such a disclosure would continue to be 
permitted for payment purposes and thus, would not require the 
individual's written authorization. However, as we did in the NPRM, we 
highly encourage covered entities to engage in open dialogue with 
individuals to ensure that they are aware that previously restricted 
protected health information may be disclosed to the health plan unless 
they request an additional restriction and pay out of pocket for the 
follow-up care.
Response to Other Public Comments
    Comment: Several commenters asked that the provision be limited to 
just providers and not to covered entities in general. Commenters also 
asked for clarification on whether the restriction prohibits providers 
from giving protected health information to health plans solely for 
payment or health care operations purposes in such cases or all 
entities that may receive protected health information for payment or 
health care operations.
    Response: We clarify that this provision, in effect, will apply 
only to covered health care providers. However, the provisions of Sec.  
164.522(a) apply to covered entities generally and thus, we decline to 
alter the regulatory text. In response to commenters' concerns 
regarding disclosure for payment or health care operations purposes to 
entities other than the health plan, we clarify that this provision 
does not affect disclosures to these other entities as permitted by the 
Privacy Rule.
    Comment: Commenters asked what the liability is for a provider who 
discloses restricted protected health information to a plan.
    Response: A provider who discloses restricted protected health 
information to the health plan is making a disclosure in violation of 
the Privacy Rule and the HITECH Act, which, as with other impermissible 
disclosures is subject to the imposition of possible criminal 
penalties, civil money penalties, or corrective action.
    Comment: Several commenters asked that we clarify that the 
``required by law'' exception allows providers to respond to subpoenas, 
court orders, and judicial proceedings.
    Response: The ``required by law'' exception in Sec.  
164.522(a)(1)(vi) does allow health care providers to respond to court 
orders and subpoenas issued by a court requiring disclosure of 
protected health information to a health plan. See the definition of 
``required by law'' at Sec.  164.103. Further, Sec.  164.522(a)(1)(vi) 
does not affect the disclosure of protected health information to 
entities that are not health plans and thus, disclosures to these other 
entities made as required by law, for judicial and administrative 
proceedings, or for law enforcement activities in accordance with 
Sec. Sec.  164.512(a), 164.512(e), and 164.512(f), respectively, 
continue to be permitted.
    Comment: Several commenters suggested that the final rule be 
written to ensure that there are no conflicts with the Fair Debt 
Collection Practices Act and similar State laws regarding the legal 
obligation to validate a debt that is disputed by a debtor. Commenters 
sought clarification on whether the provider can still disclose 
protected health information for the recovery of debts.
    Response: The final rule does not impact a provider's ability to 
disclose protected health information for payment purposes to a 
collection agency or otherwise for collection activities related to an 
individual's debt to the provider. Section 164.522(a) restricts 
disclosures to a health plan for payment purposes where the individual 
has paid out of pocket for the health care item or service that is the 
subject of the disclosure and requests such a restriction.
    Comment: Commenters asked that we clarify whether payment with a 
Flexible Spending Account (FSA) or Health Savings Account (HSA) is 
considered a payment by a person on behalf of the individual.
    Response: An individual may use an FSA or HSA to pay for the health 
care items or services that the individual wishes to have restricted 
from another plan; however, in doing so the individual may not restrict 
a disclosure to the FSA or HSA necessary to effectuate that payment.
    Comment: When a restriction is requested, the provider is also 
prohibited from making disclosures of the restricted protected health 
information to the business associate of the health plan. One commenter 
suggested that the final rule make it the priority of the business 
associate to inform the provider that they are acting as the business 
associate of the health plan to ensure provider compliance with the 
rule. Other comments misconstrued the preamble statements on this issue 
and commented that a provider should be allowed to provide restricted 
protected health information to its own business associates.
    Response: A provider that is prohibited from disclosing protected 
health information to a health plan may not disclose such information 
to the health plan's business associate. We do not include a 
requirement that the business associate inform the provider that they 
are acting as a business associate of the health plan as it is the 
provider's responsibility to know to whom and for what purposes it is 
making a disclosure. We also clarify that a provider is not prohibited 
from disclosing protected health information restricted from a health 
plan to its own business associates for the provider's own purposes.
    Comment: One commenter expressed concern about the number of 
workforce members who must know about the restriction and indicated 
that this may create a risk for potential error with regard to the 
information.
    Response: Covered entities must identify those workforce members or 
class of persons who need access to particular protected health 
information, and appropriately train their workforce members as 
necessary to comply with these new requirements.

[[Page 5631]]

10. Section 164.524--Access of Individuals to Protected Health 
Information
Proposed Rule
    Section 164.524 of the Privacy Rule currently establishes, with 
limited exceptions, an enforceable means by which individuals have a 
right to review or obtain copies of their protected health information 
to the extent such information is maintained in the designated record 
set(s) of a covered entity. An individual's right of access exists 
regardless of the format of the protected health information, and the 
standards and implementation specifications that address individuals' 
requests for access and timely action by the covered entity (i.e., 
provision of access, denial of access, and documentation) apply to an 
electronic environment in a similar manner as they do to a paper-based 
environment. See The HIPAA Privacy Rule's Right of Access and Health 
Information Technology (providing guidance with respect to how Sec.  
164.524 applies in an electronic environment and how health information 
technology can facilitate providing individuals with this important 
privacy right), available at: https://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/eaccess.pdf.
    Section 13405(e) of the HITECH Act strengthens the Privacy Rule's 
right of access with respect to covered entities that use or maintain 
an electronic health record (EHR) on an individual. Section 13405(e) 
provides that when a covered entity uses or maintains an EHR with 
respect to protected health information of an individual, the 
individual shall have a right to obtain from the covered entity a copy 
of such information in an electronic format and the individual may 
direct the covered entity to transmit such copy directly to the 
individual's designee, provided that any such choice is clear, 
conspicuous, and specific. Section 13405(e) also provides that any fee 
imposed by the covered entity for providing such an electronic copy 
shall not be greater than the entity's labor costs in responding to the 
request for the copy.
    Section 13405(e) applies by its terms only to protected health 
information in EHRs. However, incorporating these new provisions in 
such a limited manner in the Privacy Rule could result in a complex set 
of disparate requirements for access to protected health information in 
EHR systems versus other types of electronic records systems. As such, 
the Department proposed to use its authority under section 264(c) of 
HIPAA to prescribe the rights individuals should have with respect to 
their individually identifiable health information to strengthen the 
right of access as provided under section 13405(e) of the HITECH Act 
more uniformly to all protected health information maintained in one or 
more designated record sets electronically, regardless of whether the 
designated record set is an EHR. The public comments and final 
regulation on the scope are discussed here. The proposed amendments to 
each provision implicated by section 13405(e), together with the public 
comments and final regulation, are discussed more specifically in 
separate sections below.
Overview of Public Comments
    Most commenters were opposed to the proposal to expand the scope of 
the individual access provision to include all electronic designated 
record sets and favored limiting the requirement to EHRs. These 
commenters felt that limiting the access provision to EHRs was 
consistent with congressional intent and questioned the authority of 
the Department to expand the scope. Commenters also argued that having 
disparate requirements for different systems would not be confusing, 
and requiring electronic access to electronic designated record sets 
that are not EHRs would be highly burdensome for covered entities. 
Specifically, commenters stated that the proposed requirement for 
electronic access would include numerous types of legacy systems, many 
of which are incapable of producing reports in easily readable formats 
that can be transmitted electronically. These commenters indicated that 
a significant amount of information technology development and 
investment would be needed to comply with this requirement if it 
applies to all electronic designated record sets.
    A number of consumer advocates supported the expanded scope to 
include all electronic designated records sets in addition to EHRs. 
These commenters felt that this would provide complete transparency for 
consumers, help individuals gain access to their medical records and 
make better-informed decisions about their health care, and promote 
consistent and uniform practices.
Final Rule
    The final rule adopts the proposal to amend the Privacy Rule at 
Sec.  164.524(c)(2)(ii) to require that if an individual requests an 
electronic copy of protected health information that is maintained 
electronically in one or more designated record sets, the covered 
entity must provide the individual with access to the electronic 
information in the electronic form and format requested by the 
individual, if it is readily producible, or, if not, in a readable 
electronic form and format as agreed to by the covered entity and the 
individual. In such cases, to the extent possible, we expect covered 
entities to provide the individual with a machine readable copy of the 
individual's protected health information. The Department considers 
machine readable data to mean digital information stored in a standard 
format enabling the information to be processed and analyzed by 
computer. For example, this would include providing the individual with 
an electronic copy of the protected health information in the format of 
MS Word or Excel, text, HTML, or text-based PDF, among other formats.
    We disagree with commenters that questioned the Department's 
authority to extend the strengthened electronic access right to all 
protected health information maintained electronically in designated 
record sets, and believe that this extended electronic right of access 
is important for individuals as covered entities increasingly 
transition from paper to electronic records. With regard to the 
additional burdens on covered entities, we note that providing access 
to protected health information held in electronic designated record 
sets was already required under the Privacy Rule at Sec.  164.524, 
which applies to protected health information in both paper and 
electronic designated record sets, and which requires providing the 
copy in the form and format requested by the individual, including 
electronically, if it is readily producible in such form and format. We 
anticipate the additional burden to be small due to the flexibility 
permitted in satisfying this new requirement, as discussed in the 
section on Form and Format.
Response to Other Public Comments
    Comment: Some commenters worried that giving individuals access to 
administrative systems (in contrast to clinical systems) would present 
a security concern to covered entities.
    Response: Covered entities are not required by this provision to 
provide individuals with direct access to their systems. They must only 
provide individuals with an electronic copy of their protected health 
information.
    Comment: Commenters requested clarification on what constitutes an 
EHR.
    Response: Under this final rule, the requirement to provide 
individuals with access to an electronic copy includes all

[[Page 5632]]

protected health information maintained in an electronic designated 
record set held by a covered entity. Because we are not limiting the 
right of electronic access to EHRs, we do not believe there is a need 
to define or further clarify the term at this time.
    Comment: One commenter requested clarification that this electronic 
access requirement preempts State laws that diminish, block, or limit 
individual access to their records.
    Response: We clarify that this HIPAA electronic right of access 
requirement does preempt contrary State law unless such law is more 
stringent. In the case of right of access, more stringent means that 
such State law permits greater rights of access to the individual.
    Comment: Several commenters sought clarification of how the new e-
access provisions would apply to business associates. One commenter 
asked whether business associates could continue to provide patients 
access to records when permitted and acting on behalf of a covered 
entity. Another commenter asked whether business associates are 
required to provide information to covered entities and not to 
individuals directly. One commenter was opposed to direct access from a 
business associate because of security concerns and increased burden on 
business associates if corrections are needed.
    Response: How and to what extent a business associate is to support 
or fulfill a covered entity's obligation to provide individuals with 
electronic access to their records will be governed by the business 
associate agreement between the covered entity and the business 
associate. For example, the business associate agreement may provide 
for the business associate to give copies of the requested information 
directly to the individual, or to the covered entity for the covered 
entity to provide the copies to the individual. There is no separate 
requirement on business associates to provide individuals with direct 
access to their health records, if that is not what has been agreed to 
between the covered entity and the business associate in the business 
associate agreement.
a. Form and Format
Proposed Rule
    Section 164.524(c)(2) of the Privacy Rule currently requires a 
covered entity to provide the individual with access to the protected 
health information in the form or format requested by the individual, 
if it is readily producible in such form or format, or, if not, in a 
readable hard copy form or such other form or format as agreed to by 
the covered entity and the individual. Section 13405(e) of the HITECH 
Act expands this requirement by explicitly requiring a covered entity 
that uses or maintains an EHR with respect to protected health 
information to provide the individual with a copy of such information 
in an electronic format.
    We proposed to implement this statutory provision, in conjunction 
with our broader authority under section 264(c) of HIPAA, by requiring, 
in proposed Sec.  164.524(c)(2)(ii), that if the protected health 
information requested is maintained electronically in one or more 
designated record sets, the covered entity must provide the individual 
with access to the electronic information in the electronic form and 
format requested by the individual, if it is readily producible, or, if 
not, in a readable electronic form and format as agreed to by the 
covered entity and the individual. This provision would require any 
covered entity that electronically maintains the protected health 
information about an individual, in one or more designated record sets, 
to provide the individual with an electronic copy of such information 
(or summary or explanation if agreed to by the individual in accordance 
with proposed Sec.  164.524(c)(2)(iii)) in the electronic form and 
format requested or in an otherwise agreed upon electronic form and 
format. While an individual's right of access to an electronic copy of 
protected health information is currently limited under the Privacy 
Rule by whether the form or format requested is readily producible, 
covered entities that maintain such information electronically in a 
designated record set would be required under these proposed 
modifications to provide some type of electronic copy, if requested by 
an individual.
    Because we did not want to bind covered entities to standards that 
may not yet be technologically mature, we proposed to permit covered 
entities to make some other agreement with individuals as to an 
alternative means by which they may provide a readable electronic copy 
to the extent the requested means is not readily producible. If, for 
example, a covered entity received a request to provide electronic 
access via a secure web-based portal, but the only readily producible 
version of the protected health information was in portable document 
format (PDF), proposed Sec.  164.524(c)(2)(ii) would require the 
covered entity to provide the individual with a PDF copy of the 
protected health information, if agreed to by the covered entity and 
the individual. We noted that while a covered entity may provide 
individuals with limited access rights to their EHR, such as through a 
secure web-based portal, nothing under the current Rule or proposed 
modifications would require a covered entity to have this capability.
    We noted that the option of arriving at an alternative agreement 
that satisfies both parties is already part of the requirement to 
provide access under Sec.  164.524(c)(2)(i), so extension of such a 
requirement to electronic access should present few implementation 
difficulties. Further, as with other disclosures of protected health 
information, in providing the individual with an electronic copy of 
protected health information through a web-based portal, email, on 
portable electronic media, or other means, covered entities should 
ensure that reasonable safeguards are in place to protect the 
information. We also noted that the proposed modification presumes that 
covered entities have the capability of providing an electronic copy of 
protected health information maintained in their designated record 
set(s) electronically through a secure web-based portal, via email, on 
portable electronic media, or other manner. We invited public comment 
on this presumption.
Overview of Public Comments
    We received many comments and requests for clarification and 
guidance regarding the permitted methods for offering protected health 
information on electronic media, and the acceptable form and format of 
the electronic copy. Several commenters suggested that covered entities 
be permitted flexibility in determining available electronic formats 
and requested clarification on what is considered ``readily 
producible.'' These commenters expressed concerns that a limited number 
of permissible electronic formats may result in a situation where 
protected health information could not be converted from a particular 
electronic system. Other commenters indicated that there should be 
minimum standards and clearly defined media that are permissible to 
meet this requirement. One commenter felt that this requirement is 
important but should be deferred until covered entities have improved 
their technological capabilities.
    Many commenters requested guidance on how to proceed if a covered 
entity and an individual are unable to come to an agreement on the 
medium of choice and what is expected in terms of accommodating the 
individual's medium of choice. Some commenters suggested various 
alternate solutions if

[[Page 5633]]

an agreement cannot be reached, including any readily producible 
format, PDF, or hard copy protected health information. Some covered 
entities felt that individuals should not have an unlimited choice in 
terms of the electronic media they are willing to accept, and should 
only be permitted to confine their choices of electronic media to a 
couple of options that the covered entity has available.
Final Rule
    The final rule adopts the proposal to require covered entities to 
provide electronic information to an individual in the electronic form 
and format requested by the individual, if it is readily producible, 
or, if not, in a readable electronic form and format as agreed to by 
the covered entity and the individual. We recognize that what is 
available in a readable electronic form and format will vary by system 
and that covered entities will continue to improve their technological 
capabilities over time. We therefore allow covered entities the 
flexibility to provide readily producible electronic copies of 
protected health information that are currently available on their 
various systems. A covered entity is not required to purchase new 
software or systems in order to accommodate an electronic copy request 
for a specific form that is not readily producible by the covered 
entity at the time of the request, provided that the covered entity is 
able to provide some form of electronic copy. We note that some legacy 
or other systems may not be capable of providing any form of electronic 
copy at present and anticipate that some covered entities may need to 
make some investment in order to meet the basic requirement to provide 
some form of electronic copy.
    We agree with covered entities that individuals should not have an 
unlimited choice in the form of electronic copy requested. However, 
covered entities must still provide individuals with some kind of 
readable electronic copy. If an individual requests a form of 
electronic copy that the covered entity is unable to produce, the 
covered entity must offer other electronic formats that are available 
on their systems. If the individual declines to accept any of the 
electronic formats that are readily producible by the covered entity, 
the covered entity must provide a hard copy as an option to fulfill the 
access request. While we remain neutral on the type of technology that 
covered entities may adopt, a PDF is a widely recognized format that 
would satisfy the electronic access requirement if it is the 
individual's requested format or if the individual agrees to accept a 
PDF instead of the individual's requested format. Alternatively, there 
may be circumstances where an individual prefers a simple text or rich 
text file and the covered entity is able to accommodate this 
preference. A hard copy of the individual's protected health 
information would not satisfy the electronic access requirement. 
However, a hard copy may be provided if the individual decides not to 
accept any of the electronic formats offered by the covered entity.
Response to Other Public Comments
    Comment: Several covered entities commented on the form of a 
request for access to electronic protected health information. Some 
expressed appreciation for permitting an electronic request process, 
including e-signatures and authentication. Some expressed opposition to 
the requirement for a signed request in writing, as it would be highly 
burdensome and cause delays. Covered entities sought guidance on 
elements that would be required or permitted in a request form for 
individuals.
    Response: We clarify that the requirement at Sec.  164.524(b)(1), 
which states that the covered entity may require individuals to make 
requests for access in writing, provided that it informs individuals of 
such a requirement, remains unchanged. Therefore, covered entities may 
at their option require individuals to make requests for electronic 
copies of their protected health information in writing. We note that 
the Privacy Rule allows for electronic documents to qualify as written 
documents, as well as electronic signatures to satisfy any requirements 
for a signature, to the extent the signature is valid under applicable 
law. If the covered entity chooses to require a written request, it has 
flexibility in determining what information to put into the request 
form. However, the request form may not be in any way designed to 
discourage an individual from exercising his or her right. A covered 
entity may also choose to accept an individual's oral request for an 
electronic copy of their protected health information without written 
signature or documentation.
    Comment: We received several comments on the content that covered 
entities are required to provide in response to an electronic access 
request. Some commenters felt that there should be a defined minimum 
set of data elements to satisfy this requirement, particularly for non-
EHR data. Covered entities also requested clarification on how to 
handle links to images or other data.
    Response: We clarify that just as is currently required for hard 
copy protected health information access requests, covered entities 
must provide an electronic copy of all protected health information 
about the individual in an electronically maintained designated record 
set, except as otherwise provided at Sec.  164.524(a). If the 
designated record set includes electronic links to images or other 
data, the images or other data that is linked to the designated record 
set must also be included in the electronic copy provided to the 
individual. The electronic copy must contain all protected health 
information electronically maintained in the designated record set at 
the time the request is fulfilled. The individual may request, however, 
only a portion of the protected health information electronically 
maintained in the designated record set, in which case the covered 
entity is only required to provide the requested information.
    Comment: One commenter asserted that the request for protected 
health information should only apply to protected health information 
the covered entity has at the time of the request, not any additional 
protected health information that it obtains while processing the 
request.
    Response: We clarify that the electronic copy must reflect all 
electronic protected health information held by the covered entity in a 
designated record set, or the subset of electronic protected health 
information specifically requested by the individual, at the time the 
request is fulfilled.
    Comment: One commenter asked for confirmation that the new 
electronic requirement does not include a requirement to scan paper and 
provide electronic copies of records held in paper form.
    Response: We clarify that covered entities are not required to scan 
paper documents to provide electronic copies of records maintained in 
hard copy. We note that for covered entities that have mixed media, it 
may in some cases be easier to scan and provide all records in 
electronic form rather than provide a combination of electronic and 
hard copies, however this is in no way required.
    Comment: Many commenters expressed security concerns related to 
this new requirement. Covered entities felt that they should not have 
to use portable devices brought by individuals (particularly flash 
drives), due to the security risks that this would introduce to their 
systems. Some covered entities

[[Page 5634]]

additionally asserted that requiring the use of individually-supplied 
media is prohibited by the Security Rule, based on the risk analysis 
determination of an unacceptable risk to the confidentiality, integrity 
and availability of the covered entity's electronic protected health 
information.
    Response: We acknowledge these security concerns and agree with 
commenters that it may not be appropriate for covered entities to 
accept the use of external portable media on their systems. Covered 
entities are required by the Security Rule to perform a risk analysis 
related to the potential use of external portable media, and are not 
required to accept the external media if they determine there is an 
unacceptable level of risk. However, covered entities are not then 
permitted to require individuals to purchase a portable media device 
from the covered entity if the individual does not wish to do so. The 
individual may in such cases opt to receive an alternative form of the 
electronic copy of the protected health information, such as through 
email.
    Comment: Several commenters specifically commented on the option to 
provide electronic protected health information via unencrypted email. 
Covered entities requested clarification that they are permitted to 
send individuals unencrypted emails if they have advised the individual 
of the risk, and the individual still prefers the unencrypted email. 
Some felt that the ``duty to warn'' individuals of risks associated 
with unencrypted email would be unduly burdensome on covered entities. 
Covered entities also requested clarification that they would not be 
responsible for breach notification in the event that unauthorized 
access of protected health information occurred as a result of sending 
an unencrypted email based on an individual's request. Finally, one 
commenter emphasized the importance that individuals are allowed to 
decide if they want to receive unencrypted emails.
    Response: We clarify that covered entities are permitted to send 
individuals unencrypted emails if they have advised the individual of 
the risk, and the individual still prefers the unencrypted email. We 
disagree that the ``duty to warn'' individuals of risks associated with 
unencrypted email would be unduly burdensome on covered entities and 
believe this is a necessary step in protecting the protected health 
information. We do not expect covered entities to educate individuals 
about encryption technology and the information security. Rather, we 
merely expect the covered entity to notify the individual that there 
may be some level of risk that the information in the email could be 
read by a third party. If individuals are notified of the risks and 
still prefer unencrypted email, the individual has the right to receive 
protected health information in that way, and covered entities are not 
responsible for unauthorized access of protected health information 
while in transmission to the individual based on the individual's 
request. Further, covered entities are not responsible for safeguarding 
information once delivered to the individual.
b. Third Parties
Proposed Rule
    Section 164.524(c)(3) of the Privacy Rule currently requires the 
covered entity to provide the access requested by the individual in a 
timely manner, which includes arranging with the individual for a 
convenient time and place to inspect or obtain a copy of the protected 
health information, or mailing the copy of protected health information 
at the individual's request. The Department had previously interpreted 
this provision as requiring a covered entity to mail the copy of 
protected health information to an alternative address requested by the 
individual, provided the request was clearly made by the individual and 
not a third party. Section 13405(e)(1) of the HITECH Act provides that 
if the individual chooses, he or she has a right to direct the covered 
entity to transmit an electronic copy of protected health information 
in an EHR directly to an entity or person designated by the individual, 
provided that such choice is clear, conspicuous, and specific.
    Based on section 13405(e)(1) of the HITECH Act and our authority 
under section 264(c) of HIPAA, we proposed to expand Sec.  
164.524(c)(3) to expressly provide that, if requested by an individual, 
a covered entity must transmit the copy of protected health information 
directly to another person designated by the individual. This proposed 
amendment is consistent with the Department's prior interpretation on 
this issue and would apply without regard to whether the protected 
health information is in electronic or paper form. We proposed to 
implement the requirement of section 13405(e)(1) that the individual's 
``choice [be] clear, conspicuous, and specific'' by requiring that the 
individual's request be ``in writing, signed by the individual, and 
clearly identify the designated person and where to send the copy of 
protected health information.'' We noted that the Privacy Rule allows 
for electronic documents to qualify as written documents for purposes 
of meeting the Rule's requirements, as well as electronic signatures to 
satisfy any requirements for a signature, to the extent the signature 
is valid under applicable law. Thus, a covered entity could employ an 
electronic process for receiving an individual's request to transmit a 
copy of protected health information to his or her designee under this 
proposed provision. Whether the process is electronic or paper-based, a 
covered entity must implement reasonable policies and procedures under 
Sec.  164.514(h) to verify the identity of any person who requests 
protected health information, as well as implement reasonable 
safeguards under Sec.  164.530(c) to protect the information that is 
used or disclosed.
Overview of Public Comments
    Commenters requested clarification regarding the proposal to 
transmit an electronic copy of protected health information to another 
person designated by the individual. In particular, covered entities 
sought clarification on whether or not an authorization is required 
prior to transmitting the requested electronic protected health 
information to a third party designated by the individual. Some 
commenters supported the ability to provide electronic protected health 
information access to third parties without individual authorization, 
while others felt that authorization should be required. Covered 
entities requested clarification that they are not liable when making 
reasonable efforts to verify the identity of a third party recipient 
identified by the individual.
Final Rule
    The final rule adopts the proposed amendment Sec.  164.524(c)(3) to 
expressly provide that, if requested by an individual, a covered entity 
must transmit the copy of protected health information directly to 
another person designated by the individual. In contrast to other 
requests under Sec.  164.524, when an individual directs the covered 
entity to send the copy of protected health information to another 
designated person, the request must be made in writing, signed by the 
individual, and clearly identify the designated person and where to 
send the copy of the protected health information. If a covered entity 
has decided to require all access requests in writing, the third party 
recipient information and signature by the individual can be included 
in the same written request; no additional or separate written request 
is

[[Page 5635]]

required. This written request for protected health information to be 
sent to a designated person is distinct from an authorization form, 
which contains many additional required statements and elements (see 
Sec.  164.508(c)). Covered entities may rely on the information 
provided in writing by the individual when providing protected health 
information to a third party recipient identified by the individual, 
but must also implement reasonable policies and procedures under Sec.  
164.514(h) to verify the identity of any person who requests protected 
health information, as well as implement reasonable safeguards under 
Sec.  164.530(c) to protect the information that is used or disclosed. 
For example, reasonable safeguards would not require the covered entity 
to confirm that the individual provided the correct email address of 
the third party, but would require reasonable procedures to ensure that 
the covered entity correctly enters the email address into its system.
c. Fees
Proposed Rule
    Section 164.524(c)(4) of the Privacy Rule currently permits a 
covered entity to impose a reasonable, cost-based fee for a copy of 
protected health information (or a summary or explanation of such 
information). However, such a fee may only include the cost of: (1) The 
supplies for, and labor of, copying the protected health information; 
(2) the postage associated with mailing the protected health 
information, if applicable; and (3) the preparation of an explanation 
or summary of the protected health information, if agreed to by the 
individual. With respect to providing a copy (or summary or 
explanation) of protected health information from an EHR in electronic 
form, however, section 13405(e)(2) of the HITECH Act provides that a 
covered entity may not charge more than its labor costs in responding 
to the request for the copy.
    In response to section 13405(e)(2) of the HITECH Act, we proposed 
to amend Sec.  164.524(c)(4)(i) to identify separately the labor for 
copying protected health information, whether in paper or electronic 
form, as one factor that may be included in a reasonable cost-based 
fee. While we did not propose more detailed considerations for this 
factor within the regulatory text, we retained all prior 
interpretations of labor with respect to paper copies--that is, that 
the labor cost of copying may not include the costs associated with 
searching for and retrieving the requested information. With respect to 
electronic copies, we asserted that a reasonable cost-based fee 
includes costs attributable to the labor involved to review the access 
request and to produce the electronic copy, which we expected would be 
negligible. However, we did not consider a reasonable cost-based fee to 
include a standard ``retrieval fee'' that does not reflect the actual 
labor costs associated with the retrieval of the electronic information 
or that reflects charges that are unrelated to the individual's request 
(e.g., the additional labor resulting from technical problems or a 
workforce member's lack of adequate training). We invited public 
comment on this aspect of our rulemaking, specifically with respect to 
what types of activities related to managing electronic access requests 
should be compensable aspects of labor.
    We also proposed to amend Sec.  164.524(c)(4)(ii) to provide 
separately for the cost of supplies for creating the paper copy or 
electronic media (i.e., physical media such as a compact disc (CD) or 
universal serial bus (USB) flash drive), if the individual requests 
that the electronic copy be provided on portable media. This 
reorganization and the addition of the phrase ``electronic media'' 
reflected our understanding that since section 13405(e)(2) of the 
HITECH Act permits only the inclusion of labor costs in the charge for 
electronic copies, it by implication excludes charging for the supplies 
that are used to create an electronic copy of the individual's 
protected health information, such as the hardware (computers, 
scanners, etc.) or software that is used to generate an electronic copy 
of an individual's protected health information in response to an 
access request. We noted that this limitation is in contrast to a 
covered entity's ability to charge for supplies for hard copies of 
protected health information (e.g., the cost of paper, the prorated 
cost of toner and wear and tear on the printer). See 65 FR 82462, 
82735, Dec. 28, 2000 (responding to a comment seeking clarification on 
``capital cost for copying'' and other supply costs by indicating that 
a covered entity was free to recoup all of their reasonable costs for 
copying). We asserted that this interpretation was consistent with the 
fact that, unlike a hard copy, which generally exists on paper, an 
electronic copy exists independent of media, and can be transmitted 
securely via multiple methods (e.g., email, a secure web-based portal, 
or an individual's own electronic media) without accruing any ancillary 
supply costs. We also noted, however, that our interpretation of the 
statute would permit a covered entity to charge a reasonable and cost-
based fee for any electronic media it provided, as requested or agreed 
to by an individual.
    While we proposed to renumber the remaining factors at Sec.  
164.524(c)(4), we did not propose to amend their substance. With 
respect to Sec.  164.524(c)(4)(iii), however, we noted that our 
interpretation of the statute would permit a covered entity to charge 
for postage if an individual requests that the covered entity transmit 
portable media containing an electronic copy through mail or courier 
(e.g., if the individual requests that the covered entity save 
protected health information to a CD and then mail the CD to a 
designee).
Overview of Public Comments
    Commenters generally supported and appreciated the inclusion of a 
reasonable, cost-based fee that includes both labor and, in some cases, 
supply costs to support the new electronic access requirement. Several 
commenters disagreed that the cost related to reviewing and responding 
to requests would be negligible, particularly if the scope includes 
information in designated record sets and not only EHRs, since more 
technically trained staff would be necessary to perform this function.
    Commenters provided many suggestions of costs that should be 
permitted in the fees, including those associated with labor, 
materials, systems, retrieval (particularly for old data maintained in 
archives, backup media or legacy systems), copying, transmission, and 
capital to recoup the significant investments made for data access, 
storage and infrastructure. Commenters offered additional suggestions 
on labor-related costs, including: skilled technical staff time; time 
spent recovering, compiling, extracting, scanning and burning protected 
health information to media, and distributing the media; and 
preparation of an explanation or summary if appropriate. Suggestions of 
materials-related costs included: CDs, flash drives, tapes or other 
portable media; new types of technology needed to comply with 
individual requests; office supplies; and mail copies. Systems-related 
costs included: software necessary to conduct protected health 
information searches; and implementation and maintenance of security 
systems and secure connectivity.
Final Rule
    The final rule adopts the proposed amendment at Sec.  
164.524(c)(4)(i) to identify separately the labor for copying protected 
health information, whether

[[Page 5636]]

in paper or electronic form, as one factor that may be included in a 
reasonable cost-based fee. We acknowledge commenters' assertions that 
the cost related to searching for and retrieving electronic protected 
health information in response to requests would be not be negligible, 
as opposed to what we had anticipated, particularly in regards to 
designated record set access that will require more technically trained 
staff to perform this function. We clarify that labor costs included in 
a reasonable cost-based fee could include skilled technical staff time 
spent to create and copy the electronic file, such as compiling, 
extracting, scanning and burning protected health information to media, 
and distributing the media. This could also include the time spent 
preparing an explanation or summary of the protected health 
information, if appropriate.
    The final rule also adopts the proposed amendment at Sec.  
164.524(c)(4)(ii) to provide separately for the cost of supplies for 
creating the paper copy or electronic media (i.e., physical media such 
as a compact disc (CD) or universal serial bus (USB) flash drive), if 
the individual requests that the electronic copy be provided on 
portable media. We do not require that covered entities obtain new 
types of technology needed to comply with specific individual requests, 
and therefore the cost of obtaining such new technologies is not a 
permissible fee to include in the supply costs.
    With respect to Sec.  164.524(c)(4)(iii), we clarify that a covered 
entity is permitted to charge for postage if an individual requests 
that the covered entity transmit portable media containing an 
electronic copy through mail or courier (e.g., if the individual 
requests that the covered entity save protected health information to a 
CD and then mail the CD to a designee).
    Fees associated with maintaining systems and recouping capital for 
data access, storage and infrastructure are not considered reasonable, 
cost-based fees, and are not permissible to include under this 
provision. Covered entities are not required to adopt or purchase new 
systems under this provision, and thus any costs associated with 
maintaining them are present regardless of the new electronic access 
right. Additionally, although the proposed rule indicated that a 
covered entity could charge for the actual labor costs associated with 
the retrieval of electronic information, in this final rule we clarify 
that a covered entity may not charge a retrieval fee (whether it be a 
standard retrieval fee or one based on actual retrieval costs). This 
interpretation will ensure that the fee requirements for electronic 
access are consistent with the requirements for hard copies, which do 
not allow retrieval fees for locating the data.
Response to Other Public Comments
    Comment: Commenters requested clarification on how to proceed when 
State laws designate fees.
    Response: When a State law provides a limit on the fee that a 
covered entity may charge for a copy of protected health information, 
this is relevant in determining whether a covered entity's fee is 
``reasonable'' under Sec.  164.524(c)(4). A covered entity's fee must 
be both reasonable and cost-based. For example, if a State permits a 
charge of 25 cents per page, but a covered entity is able to provide an 
electronic copy at a cost of five cents per page, then the covered 
entity may not charge more than five cents per page (since that is the 
reasonable and cost-based amount). Similarly, if a covered entity's 
cost is 30 cents per page but the State law limits the covered entity's 
charge to 25 cents per page, then the covered entity may not charge 
more than 25 cents per page (since charging 30 cents per page would be 
the cost-based amount, but would not be reasonable in light of the 
State law).
    Comment: One commenter suggested that labor-related costs should 
include preparation of an affidavit certifying that the information is 
a true and correct copy of the records.
    Response: We do not consider the cost to prepare an affidavit to be 
a copying cost. Thus, where an individual requests that an affidavit 
accompany the copy of protected health information requested by the 
individual for litigation purposes or otherwise, a covered entity may 
charge the individual for the preparation of such affidavit and is not 
subject to the reasonable, cost-based fee limitations of Sec.  
164.524(c)(4). However, a covered entity may not withhold an 
individual's copy of his or her protected health information for 
failure by the individual to pay any fees for services above and beyond 
the copying, such as for preparing an affidavit.
    Comment: Some commenters recommended defining the following terms: 
``preparing,'' ``producing,'' and ``transmitting.''
    Response: We decline to define the terms ``preparing,'' 
``producing,'' and ``transmitting,'' as we believe the terms have been 
adequately understood and utilized in the context of hard copy access 
to protected health information.
d. Timeliness
Proposed Rule
    We requested comment on one aspect of the right to access and 
obtain a copy of protected health information which the HITECH Act did 
not amend. In particular, the HITECH Act did not change the timeliness 
requirements for provision of access at Sec.  164.524(b). Under the 
current requirements, a request for access must be approved or denied, 
and if approved, access or a copy of the information provided, within 
30 days of the request. In cases where the records requested are only 
accessible from an off-site location, the covered entity has an 
additional 30 days to respond to the request. In extenuating 
circumstances where access cannot be provided within these timeframes, 
the covered entity may have a one-time 30-day extension if the 
individual is notified of the need for the extension within the 
original timeframes.
    With regard to the timeliness of the provision of access, we 
recognized that with the advance of EHRs, there is an increasing 
expectation and capacity to provide individuals with almost 
instantaneous electronic access to the protected health information in 
those records through personal health records or similar electronic 
means. On the other hand, we did not propose to limit the right to 
electronic access of protected health information to certified EHRs, 
and the variety of electronic systems that are subject to this proposed 
requirement would not all be able to comply with a timeliness standard 
based on personal health record capabilities. It was our assumption 
that a single timeliness standard that would address a variety of 
electronic systems, rather than having a multitude of standards based 
on system capacity, would be the preferred approach to avoid 
workability issues for covered entities. Even under a single standard, 
nothing would prevent users of EHR systems from exceeding the Privacy 
Rule's timeliness requirements for providing access to individuals. 
Additionally, the Medicare and Medicaid EHR Incentive Programs (the 
``meaningful use'' programs) require users of Certified EHR Technology 
to provide individuals with expedited access to information. Based on 
the assumption that a single standard would be the preferred approach 
under the Privacy Rule, we requested public comment on an appropriate, 
common timeliness standard for the provision of access by covered 
entities with electronic designated record sets generally. We 
specifically requested comment on aspects of existing systems

[[Page 5637]]

that would create efficiencies in processing of requests for electronic 
information, as well as those aspects of electronic systems that would 
provide little change from the time required for processing a paper 
record. Alternatively, we requested comment on whether the current 
standard could be altered for all systems, paper and electronic, such 
that all requests for access should be responded to without 
unreasonable delay and not later than 30 days.
    We also requested public comment on whether, contrary to our 
assumption, a variety of timeliness standards based on the type of 
electronic designated record set is the preferred approach and if so, 
how such an approach should be implemented.
    Finally, we requested comment on the time necessary for covered 
entities to review access requests and make necessary determinations, 
such as whether the granting of access would endanger the individual or 
other persons so as to better understand how the time needed for these 
reviews relates to the overall time needed to provide the individual 
with access. Further, we requested comment generally on whether the 
provision which allows a covered entity an additional 30 days to 
provide access to the individual if the protected health information is 
maintained off-site should be eliminated altogether for both paper and 
electronic records, or at least for protected health information 
maintained or archived electronically because the physical location of 
electronic data storage is not relevant to its accessibility.
Overview of Public Comments
    Commenters generally supported maintaining the same timeframe for 
response for both paper and electronic records and not modifying the 
existing timeframes for response. Commenters espoused many rationales 
for maintaining a single standard and the existing response standards, 
including that off-site electronic storage with back-up tapes will 
require time to obtain the electronic media, multiple electronic 
systems may need to be accessed, some systems may not have data stored 
in useable formats requiring time to convert data, and time may be 
required to obtain data from business associates and subcontractors.
    Some commenters acknowledged that electronic records may be easier 
to access, but review of records and verification processes would still 
require time that cannot be shortcut because a record is electronic. 
One commenter acknowledged that shorter times may be achievable when 
specific data set standards are established and covered entities have 
electronic records in place. One commenter believed that electronic 
records could be furnished in a much shorter timeframe, such as two 
business days.
    Several commenters suggested responses be done in much shorter 
timeframes, such as instantly, within one day or three days. One 
commenter noted that meaningful use standards required access within 
three days for 50 percent of patients. These commenters suggested 
alternative timeframes for adoption, such as allowing 60 days for 
response due to off-site storage issues and potential for multiple 
requests. One commenter suggested 30 and 60 day times were unworkable 
and another commenter suggested eliminating the 30 day extension for 
off-site record storage. One commenter suggested 30 days may be longer 
than is necessary, but cautioned against mandates that would 
unreasonably divert provider resources (e.g., five days would be 
unreasonable when a provider must take time to include explanatory 
notes).
Final Rule
    The final rule modifies the timeliness requirements for right to 
access and to obtain a copy of protected health information at Sec.  
164.524(b). We remove the provision at Sec.  164.524(b)(2)(ii) that 
permits 60 days for timely action when protected health information for 
access is not maintained or accessible to the covered entity on-site. 
We retain and renumber as necessary the provision at Sec.  
164.524(b)(2)(iii) that permits a covered entity a one-time extension 
of 30 days to respond to the individual's request (with written notice 
to the individual of the reasons for delay and the expected date by 
which the entity will complete action on the request).
    We believe the 30 day timeframe for access is appropriate and 
achievable by covered entities given the increasing expectation and 
capacity to provide individuals with almost instantaneous electronic 
access to the protected health information in those records through 
personal health records or similar electronic means. While a covered 
entity is permitted 30 days to provide access (with a 30-day extension 
when necessary), we encourage covered entities to provide individuals 
with access to their information sooner, and to take advantage of 
technologies that provide individuals with immediate access to their 
health information. Nevertheless, for covered entities that continue to 
make use of off-site storage or have additional time constraints to 
providing access, the 30 day extension remains available for a covered 
entity to exercise. This means, for example, that a covered entity must 
provide an individual with access to off-site records within 30 days of 
the individual's request when possible, with a 30-day extension 
available (for a total of 60 days, in contrast to the current law that 
permits up to 90 days to provide the individual with access to such 
records).
    We decline to establish separate timeframes for timely access based 
upon whether the protected health information to be accessed is paper 
or electronic. Commenters generally supported adoption of a single 
standard rather than differing standards based upon whether a record is 
paper or electronic and no comments provided compelling reasons to 
establish differing standards.
Response to Other Public Comments
    Comment: One commenter asked for clarification as to when the time 
period for responding to a response begins if the parties spend 
significant time attempting to reach agreement on the format of the 
electronic copy.
    Response: We confirm that the time period for responding to a 
request for access begins on the date of the request. Covered entities 
that spend significant time before reaching agreement on the electronic 
format for a response are using part of the 30 days permitted for 
response.
    Comment: One commenter suggested there should be a transition 
period for those covered entities that do not currently have the 
capability to meet the electronic access requirement.
    Response: We decline to implement a transition period for access to 
electronic copies of protected health information. Covered entities are 
already subject to the hard copy access requirement for all information 
held in designated record sets, including electronic designated record 
sets, and the new requirement for electronic copies gives covered 
entities the flexibility to provide an electronic copy in a form that 
is readily producible. We do not believe additional time is needed to 
provide electronic copies of protected health information that are 
readily producible.
11. Other Technical Changes and Conforming Changes
Proposed Rule
    We proposed to make a number of technical and conforming changes to 
the Privacy Rule to fix minor problems, such as incorrect cross-
references, mistakes of grammar, and typographical errors. These 
changes are shown in Table 3 below.

[[Page 5638]]



                                    Table 3--Technical and Conforming Changes
----------------------------------------------------------------------------------------------------------------
           Regulation section                Current language         Proposed change        Reason for change
----------------------------------------------------------------------------------------------------------------
164.510(b)(2)(iii)......................  ``based the exercise    Insert ``on'' after     Correct typographical
                                           of professional         ``based''.              error.
                                           Judgment''.
164.512(b)(1)...........................  ``Permitted             Insert ``uses and''     Correct inadvertent
                                           disclosures'' and       and ``use or'' before   omission.
                                           ``may disclose''.       ``disclosures'' and
                                                                   ``disclose,''
                                                                   respectively.
164.512(e)(1)(iii)......................  ``seeking protecting    Change ``protecting''   Correct typographical
                                           health information''.   to ``protected''.       error.
164.512(e)(1)(vi).......................  ``paragraph (e)(1)(iv)  Change ``(e)(1)(iv)''   Correct cross-
                                           of this section''.      to ``(e)(1)(v)''.       reference.
164.512(k)(3)...........................  ``authorized by 18      Remove the comma after  Correct typographical
                                           U.S.C. 3056, or to      ``U.S.C. 3056'' and     errors.
                                           foreign heads of        the ``to'' before
                                           state, or to for the    ``for''.
                                           conduct of
                                           investigations''.
----------------------------------------------------------------------------------------------------------------

    In addition to the above technical changes, we proposed to make a 
few clarifications to existing text in various provisions of the 
regulation not otherwise addressed in the above preamble. These are as 
follows.
    1. Section 164.506(c)(5) permits a covered entity to disclose 
protected health information ``to another covered entity that 
participates in the organized health care arrangement.'' We proposed to 
change the words ``another covered entity that participates'' to 
``other participants'' because not all participants in an organized 
health care arrangement may be covered entities; for example, some 
physicians with staff privileges at a hospital may not be covered 
entities.
    2. Section 164.510(a)(1)(ii) permits the disclosure of directory 
information to members of the clergy and other persons who ask for the 
individual by name. We proposed to add the words ``use or'' to this 
permission, to cover the provision of such information to clergy who 
are part of a facility's workforce.
    3. Section 164.510(b)(3) covers uses and disclosures of protected 
health information when the individual is not present to agree or 
object to the use or disclosure, and, as pertinent here, permits 
disclosure to persons only of ``the protected health information that 
is directly relevant to the person's involvement with the individual's 
health care.'' We proposed to delete the last two quoted words and 
substitute the following: ``care or payment related to the individual's 
health care or needed for notification purposes.'' This change aligns 
the text of paragraph (b)(3) with the permissions provided for at 
paragraph (b)(1) of this section.
    4. Where an employer needs protected health information to comply 
with workplace medical surveillance laws, such as the Occupational 
Safety and Health Administration or Mine Safety and Health 
Administration requirements, Sec.  164.512(b)(1)(v)(A) permits a 
covered entity to disclose, subject to certain conditions, protected 
health information of an individual to the individual's employer if the 
covered entity is a covered health care provider ``who is a member of 
the workforce of such employer or who provides health care to the 
individual at the request of the employer.'' We proposed to amend the 
quoted language by removing the words ``who is a member of the 
workforce of such employer or,'' as the language is unnecessary.
    5. At Sec.  164.512(k)(1)(ii), we proposed to replace the word 
``Transportation'' with ``Homeland Security.'' The language regarding a 
component of the Department of Transportation was included to refer to 
the Coast Guard; however, the Coast Guard was transferred to the 
Department of Homeland Security in 2003.
    6. At Sec.  164.512(k)(5), which permits a covered entity to 
disclose to a correctional institution or law enforcement official 
having lawful custody of an inmate or other individual protected health 
information about the inmate or individual in certain necessary 
situations, we proposed to replace the word ``and'' after the semicolon 
in paragraph (i)(E) with the word ``or.'' The intent of Sec.  
164.512(k)(5)(i) is not that the existence of all of the conditions is 
necessary to permit the disclosure, but rather that the existence of 
any would permit the disclosure.
Overview of Public Comments
    One commenter requested clarification about whether business 
associates may participate in an organized health care arrangement 
(OHCA) under Sec.  164.506(c)(5). Another commenter recommended against 
changing the language of Sec.  164.506(c)(5), arguing that such a 
change could bring entities like employers and pharmaceutical companies 
into OHCAs that should not otherwise have access to protected health 
information, and suggested that the Department change the language to 
make clear that an OHCA may include only professional staff members.
Final Rule
    The final rule implements the technical, conforming, and clarifying 
changes as proposed. In response to the comments regarding which 
entities may participate in an OHCA, we clarify that a covered entity 
participating in an OHCA or the OHCA itself may contract with a 
business associate to provide certain functions, activities, or 
services on its behalf that involve access to protected health 
information, provided the applicable requirements of Sec. Sec.  
164.502(e), 164.504(e), 164.308(b) and 164.314(a) are met. Further, the 
definition of an organized health care arrangement (OHCA) at Sec.  
160.103 includes a clinically integrated care setting in which 
individuals typically receive health care from more than one health 
care provider. We modified Sec.  164.506(c)(5) as discussed above in 
recognition of the fact that not all participants in a clinically 
integrated care setting may be covered entities (e.g., hospital with 
physicians with staff privileges that are not workforce members). Such 
change does not permit employers and pharmaceutical representatives to 
receive access to protected health information from or through an OHCA 
in a manner they would otherwise be prohibited from now.

V. Modifications to the Breach Notification Rule Under the HITECH Act

A. Background

    Section 13402 of the HITECH Act requires HIPAA covered entities to 
provide notification to affected individuals and to the Secretary of 
HHS following the discovery of a breach of unsecured protected health 
information. In some cases, the Act requires covered entities also to 
provide notification to the media of breaches. In the case of a breach 
of unsecured protected health

[[Page 5639]]

information at or by a business associate of a covered entity, the Act 
requires the business associate to notify the covered entity of the 
breach. Finally, the Act requires the Secretary to post on an HHS Web 
site a list of covered entities that experience breaches of unsecured 
protected health information involving more than 500 individuals.
    Section 13400(1) of the Act defines ``breach'' to mean, generally, 
the unauthorized acquisition, access, use, or disclosure of protected 
health information which compromises the security or privacy of such 
information. The Act includes three exceptions to this definition to 
encompass situations Congress clearly intended not to constitute 
breaches: (1) Unintentional acquisition, access, or use of protected 
health information by an employee or other person acting under the 
authority of a covered entity or business associate if such 
acquisition, access, or use was made in good faith and within the 
course and scope of the employment or other professional relationship 
of such person with the covered entity or business associate and such 
information is not further acquired, accessed, used, or disclosed by 
any person (section 13400(1)(B)(i)); (2) inadvertent disclosure of 
protected health information from one person authorized to access 
protected health information at a facility operated by a covered entity 
or business associate to another person similarly situated at the same 
facility and the information received is not further acquired, 
accessed, used or disclosed without authorization by any person 
(section 13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures 
in which an unauthorized person to whom protected health information is 
disclosed would not reasonably have been able to retain the information 
(section 13400(1)(A)).
    Further, section 13402(h) of the Act defines ``unsecured protected 
health information'' as ``protected health information that is not 
secured through the use of a technology or methodology specified by the 
Secretary in guidance'' and provides that the guidance specify the 
technologies and methodologies that render protected health information 
unusable, unreadable, or indecipherable to unauthorized individuals. 
Covered entities and business associates that implement the specified 
technologies and methodologies with respect to protected health 
information are not required to provide notifications in the event of a 
breach of such information--that is, the information is not considered 
``unsecured'' in such cases. As required by the Act, the Secretary 
initially issued this guidance on April 17, 2009 (it was subsequently 
published at 74 FR 19006 on April 27, 2009). The guidance listed and 
described encryption and destruction as the two technologies and 
methodologies for rendering protected health information unusable, 
unreadable, or indecipherable to unauthorized individuals.
    In cases in which notification is required, the Act at section 
13402 prescribes the timeliness, content, and methods of providing the 
breach notifications.
    Section 13402 required HHS to issue within 180 days of enactment 
interim final regulations to implement these breach notification 
requirements. The Department issued an interim final rule on August 24, 
2009, with a 60-day public comment period (74 FR 42740). The interim 
final rule became effective on September 23, 2009. In the preamble to 
the interim final rule, the Department also re-issued without 
substantive change its Guidance Specifying the Technologies and 
Methodologies That Render Protected Health Information Unusable, 
Unreadable, or Indecipherable to Unauthorized Individuals that was 
initially issued on April 17, 2009. The Guidance continues to specify 
encryption and destruction as the two methods for rendering protected 
health information unusable, unreadable, or indecipherable to 
unauthorized individuals--or ``secured''--and thus, exempt from the 
breach notification obligations. See 74 FR 42741-43.

B. Overview of the Interim Final Rule

    The interim final rule added a new subpart D to part 164 of title 
45 of the Code of Federal Regulations (CFR) to implement the breach 
notification provisions of section 13402 of the HITECH Act. In 
developing the interim final rule, the Department consulted closely 
with the Federal Trade Commission (FTC), which administers similar 
breach notification requirements on vendors of personal health records 
(PHRs) and their third party service providers under section 13407 of 
the HITECH Act. The interim final rule and FTC's Health Breach 
Notification Rule (74 FR 42962, published August 25, 2009) made clear 
that entities operating as HIPAA covered entities and business 
associates are subject to HHS', and not the FTC's, breach notification 
rule. Second, to address those limited cases where an entity may be 
subject to both HHS' and the FTC's rules, such as a vendor that offers 
PHRs to customers of a HIPAA covered entity as a business associate and 
also offers PHRs directly to the public, both sets of regulations were 
harmonized by including the same or similar language, within the 
constraints of the statutory language.
    The 60-day public comment period on the interim final rule closed 
on October 23, 2009. The Department received approximately 120 comments 
during the comment period from a variety of entities, including health 
care providers, hospital and medical associations, health plans, 
educational institutions, information technology companies, privacy and 
security advocates, consumer groups, state agencies, and several 
members of Congress. The provisions of the interim final rule are 
discussed in more detail below, along with the public comments 
received, and the provisions of this final rule.

C. Section-by-Section Description of Final Rule and Response to 
Comments

1. Section 164.402--Definitions
a. Definition of ``Breach''
Interim Final Rule
    Section 13400(1)(A) of the Act defines ``breach'' as the 
``unauthorized acquisition, access, use, or disclosure of protected 
health information which compromises the security or privacy of such 
information, except where an unauthorized person to whom such 
information is disclosed would not reasonably have been able to retain 
such information.'' Section 13400(1)(B) of the Act provides two 
additional exceptions to the definition of ``breach.'' The interim 
final rule at 45 CFR 164.402 defined a ``breach'' to mean generally 
``the acquisition, access, use, or disclosure of protected health 
information in a manner not permitted [by the Privacy Rule] which 
compromises the security or privacy of the protected health 
information.'' The definition included the statutory exceptions to the 
definition (discussed below) and clarified that ``unauthorized'' for 
purposes of the statute meant in a manner not permitted by the Privacy 
Rule.
    In addition, for purposes of this definition, the rule provided 
that ``compromises the security or privacy of the protected health 
information'' means poses a significant risk of financial, 
reputational, or other harm to the individual. The Department included 
this standard regarding a significant risk of harm to the individual 
(i.e., harm standard) after considering public comment received in 
response to the Department's request for information on the HITECH 
Act's breach notification provisions. See 74 FR 19006. The inclusion of 
the harm standard was intended to align the Department's rule with many 
State

[[Page 5640]]

breach notification laws, as well as existing obligations on Federal 
agencies pursuant to OMB Memorandum M-07-16, that have similar 
standards for triggering breach notification. In addition, the standard 
was intended to ensure that consumers were not flooded with breach 
notifications for inconsequential events, which could cause unnecessary 
anxiety and eventual apathy among consumers.
    To determine whether an impermissible use or disclosure of 
protected health information constitutes a breach under this standard, 
covered entities and business associates were required to perform a 
risk assessment to determine if there is a significant risk of harm to 
the individual as a result of the impermissible use or disclosure. In 
conducting the risk assessment, covered entities and business 
associates were to consider a number or combination of factors, 
including who impermissibly used the information or to whom the 
information was impermissibly disclosed; whether the covered entity or 
business associate had taken steps to mitigate or eliminate the risk of 
harm; whether the protected health information was actually accessed; 
and what type or amount of protected health information was 
impermissibly used or disclosed.
    The rule provided further that an impermissible use or disclosure 
of protected health information that qualifies as a limited data set 
but also excludes dates of birth and zip codes (both identifiers that 
may otherwise be included in a limited data set) does not compromise 
the security or privacy of the protected health information. The 
Department included this narrow exception in the belief that it would 
be very difficult to re-identify a limited data set that excludes dates 
of birth and zip codes. Thus, a breach of such information would pose a 
low level of risk of harm to an individual.
    The interim final rule also included the three statutory exceptions 
to the definition of breach. To implement section 13400(1)(B)(i) of the 
Act, the first regulatory exception provided that a breach excludes any 
unintentional acquisition, access, or use of protected health 
information by a workforce member or person acting under the authority 
of a covered entity or business associate, if such acquisition, access, 
or use was made in good faith and within the scope of authority and 
does not result in further use or disclosure in a manner not permitted 
by the Privacy Rule. We substituted the term ``workforce members'' for 
the statutory term ``employees'' because ``workforce member'' is a 
defined term for purposes of the HIPAA Rules and means employees, 
volunteers, trainees, and other persons whose conduct, in the 
performance of work for a covered entity or business associate, is 
under the direct control of such covered entity or business associate.
    In addition to unintentional, good faith access to protected health 
information by workforce members, this exception covers similar access 
by a business associate of a covered entity or subcontractor with 
respect to a business associate or other person acting on behalf of a 
covered entity or business associate. The exception does not, however, 
cover situations involving snooping employees, because access as a 
result of such snooping would be neither unintentional nor done in good 
faith.
    To implement section 13400(1)(B)(ii) and (iii) of the Act, the 
second regulatory exception provided that a breach excludes inadvertent 
disclosures of protected health information from a person who is 
authorized to access protected health information at a covered entity 
or business associate to another person authorized to access protected 
health information at the same covered entity, business associate, or 
organized health care arrangement in which the covered entity 
participates. The regulatory exception includes reference to an 
``organized health care arrangement'' to capture, among other things, 
clinically integrated care settings in which individuals typically 
receive health care from more than one health care provider, such as a 
hospital, and the health care providers who have staff privileges at 
the hospital.
    In this regulatory exception, we also interpreted the statutory 
limitations that the disclosure be to ``another person similarly 
situated at the same facility'' to mean that the disclosure be to 
another person authorized to access protected health information (even 
if the two persons may not be authorized to access the same types of 
protected health information) at the same covered entity, business 
associate, or organized health care arrangement in which the covered 
entity participates (even if the covered entity, business associate, or 
organized health care arrangement has multiple facilities or locations 
across the country).
    Finally, to implement section 13400(1)(A) of the Act, the interim 
final rule exempted disclosures of protected health information where a 
covered entity or a business associate has a good faith belief that an 
unauthorized person to whom the disclosure was made would not 
reasonably have been able to retain such information. For example, if a 
covered entity, due to a lack of reasonable safeguards, sends a number 
of explanations of benefits (EOBs) to the wrong individuals and a few 
of the EOBs are returned by the post office, unopened, as 
undeliverable, the covered entity can conclude that the improper 
addressees could not reasonably have retained the information. The EOBs 
that were not returned as undeliverable, however, and that the covered 
entity knows were sent to the wrong individuals, should be treated as 
potential breaches. As another example, if a nurse mistakenly hands a 
patient the discharge papers belonging to another patient, but she 
quickly realizes her mistake and recovers the protected health 
information from the patient, this would not constitute a breach if the 
nurse can reasonably conclude that the patient could not have read or 
otherwise retained the information.
    With respect to any of the three exceptions discussed above, a 
covered entity or business associate has the burden of proof, pursuant 
to Sec.  164.414(b) (discussed below), for showing why breach 
notification was not required. Accordingly, the covered entity or 
business associate must document why the impermissible use or 
disclosure falls under one of the above exceptions.
Overview of Public Comments
    Of the approximately 85 public comments received on the interim 
final rule addressing the definition of breach, approximately 70 of 
those comments addressed the harm standard and risk assessment approach 
in the interim final rule. We received approximately 60 comments in 
support of the harm standard and the risk assessment approach. The 
commenters in support of this approach included providers, health 
plans, professional associations, and certain members of Congress. 
These commenters argued that the inclusion of the harm standard and 
accompanying risk assessment was consistent with the statutory 
language, aligned the interim final rule with many State breach 
notification laws and Federal policies, and appropriately placed the 
obligation to determine if a breach had occurred on covered entities 
and business associates since they had the requisite knowledge of the 
incident to best assess the likely impact of the impermissible use or 
disclosure.
    The proponents of the harm standard and risk assessment approach 
also argued that its removal would increase the cost and burden of 
implementing the rule for covered entities, business associates, as 
well as HHS, and may cause unnecessary anxiety and eventual

[[Page 5641]]

apathy among consumers if notifications are sent when there is no risk 
of harm to the individual.
    We also received approximately 10 comments opposed to the harm 
standard. Generally, the commenters opposed to this approach were 
members of Congress and consumer advocacy groups. Some opponents of the 
harm standard argued that its addition to the interim final rule set 
too high a bar for triggering breach notification, which was contrary 
to statutory intent. These commenters argued that the final rule should 
adopt a bright line standard for breach notification to ensure that 
individuals are aware of all impermissible uses and disclosures of 
their health information regardless of the potential risk and to make 
implementation and enforcement of the rule more uniform by removing the 
discretion and judgment given to covered entities in the interim final 
rule. These commenters argued that such transparency would better breed 
consumer trust and would allow individuals to assess the risk of harm 
themselves and take necessary measures to mitigate an impermissible use 
or disclosure of their health information.
    Other commenters, while opposed to a harm standard to trigger 
breach notification, nonetheless agreed that breach notification should 
not be required following every impermissible use or disclosure of 
unsecured protected health information no matter how inconsequential 
the breach. These commenters argued that, rather than a subjective 
standard measuring the risk of harm to an individual, the final rule 
should include a more objective standard against which entities would 
be required to assess risk. These commenters suggested that the risk 
assessment should focus on the risk that the protected health 
information was compromised instead of on the risk of harm to the 
individual. Additionally, these commenters proposed four factors that 
should be considered to determine whether the information was 
compromised: (1) To whom the information was impermissibly disclosed; 
(2) whether the information was actually accessed or viewed; (3) the 
potential ability of the recipient to identify the subjects of the 
data; and (4) in cases where the recipient is the disclosing covered 
entity's business associate or is another covered entity, whether the 
recipient took appropriate mitigating action.
    Some commenters stated that the default function of the rule was 
unclear. In particular, these commenters questioned whether the rule 
required notification of a breach unless it is determined that a 
significant risk of harm does not exist, or alternatively, required 
notification only in cases where significant risk of harm can be 
demonstrated. Other commenters suggested that we include in the 
definition an express presumption of a breach unless an entity can show 
otherwise.
    Additionally, many commenters responded to the treatment of limited 
data sets in the interim final rule. Although many commenters expressed 
support for the assertion that limited data sets that do not contain 
dates of birth and zip codes do not compromise the security or privacy 
of protected health information, most of these commenters expressed 
concern that the interim final rule did not go far enough and should 
exempt even those limited data sets that contain dates of birth and/or 
zip codes from the breach notification requirements. These commenters 
argued that no impermissible use or disclosure of a limited data set 
should trigger breach notification obligations because without the 16 
direct identifiers that the Privacy Rule requires to be stripped from 
the information, there is minimal risk of harm to the individual. 
Additionally, commenters indicated it would be costly and burdensome 
for entities to have to re-identify the information in a limited data 
set to provide notification and that re-identifying the information 
could also pose an additional risk of harm to the affected individuals. 
Finally, other commenters noted that because researchers commonly rely 
on limited data sets that contain dates of birth and zip codes, 
researchers would not be able to take advantage of the exception for 
certain limited data sets in the interim final rule, which may have the 
effect of deterring research.
    In contrast, some commenters expressed concern regarding the 
inclusion of even the limited exception to the definition of breach for 
limited data sets that do not include dates of birth and zip codes. 
These commenters supported requiring entities to perform a risk 
assessment to determine whether an impermissible use or disclosure of 
such information compromised the security or privacy of the 
information, as there may be a risk of re-identification of this 
information depending on who received the information.
Final Rule
    After considering the public comments on the definition, the 
Department in this final rule amends the definition of ``breach'' at 45 
CFR 164.402. Based on the comments, we recognize that the language used 
in the interim final rule and its preamble could be construed and 
implemented in manners we had not intended. Accordingly, this final 
rule modifies and clarifies the definition of breach and the risk 
assessment approach outlined in the interim final rule.
    First, we have added language to the definition of breach to 
clarify that an impermissible use or disclosure of protected health 
information is presumed to be a breach unless the covered entity or 
business associate, as applicable, demonstrates that there is a low 
probability that the protected health information has been compromised. 
We recognize that some persons may have interpreted the risk of harm 
standard in the interim final rule as setting a much higher threshold 
for breach notification than we intended to set. As a result, we have 
clarified our position that breach notification is necessary in all 
situations except those in which the covered entity or business 
associate, as applicable, demonstrates that there is a low probability 
that the protected health information has been compromised (or one of 
the other exceptions to the definition of breach applies). We believe 
that the express statement of this presumption in the final rule will 
help ensure that all covered entities and business associates interpret 
and apply the regulation in a uniform manner and also responds to 
commenters that indicated the default function of the rule was unclear. 
This new language is also consistent with Sec.  164.414, which provides 
that covered entities and business associates have the burden of proof 
to demonstrate that all notifications were provided or that an 
impermissible use or disclosure did not constitute a breach (such as by 
demonstrating through a risk assessment that there was a low 
probability that the protected health information had been compromised) 
and must maintain documentation sufficient to meet that burden of 
proof.
    Second, to further ensure that this provision is applied uniformly 
and objectively by covered entities and business associates, we have 
removed the harm standard and modified the risk assessment to focus 
more objectively on the risk that the protected health information has 
been compromised. Thus, breach notification is not required under the 
final rule if a covered entity or business associate, as applicable, 
demonstrates through a risk assessment that there is a low probability 
that the protected health information has been compromised, rather than 
demonstrate that there is no significant risk of harm to the individual 
as was provided under

[[Page 5642]]

the interim final rule. The final rule also identifies the more 
objective factors covered entities and business associates must 
consider when performing a risk assessment to determine if the 
protected health information has been compromised and breach 
notification is necessary.
    Although some commenters urged us to implement a bright line 
standard, requiring notification for all impermissible uses and 
disclosures without any assessment of risk, we believe that a risk 
assessment is necessary. The statute acknowledges, by including a 
specific definition of breach and identifying exceptions to this 
definition, as well as by providing that an unauthorized acquisition, 
access, use, or disclosure of protected health information must 
compromise the security or privacy of such information to be a breach, 
that there are several situations in which unauthorized acquisition, 
access, use, or disclosure of protected health information is so 
inconsequential that it does not warrant notification. In addition to 
the statutory exceptions that have been included in both the interim 
final rule and this final rule, there may be other similar situations 
that do not warrant breach notification. We agree with commenters that 
providing notification in such cases may cause the individual 
unnecessary anxiety or even eventual apathy if notifications of these 
types of incidents are sent routinely. For example, if a covered entity 
misdirects a fax containing protected health information to the wrong 
physician practice, and upon receipt, the receiving physician calls the 
covered entity to say he has received the fax in error and has 
destroyed it, the covered entity may be able to demonstrate after 
performing a risk assessment that there is a low risk that the 
protected health information has been compromised. Although this 
scenario does not fit into any of the statutory or regulatory 
exceptions, we believe that, like the exceptions to breach, 
notification should not be required if the covered entity demonstrates 
a low probability that the data has been compromised.
    Commenters argued that a rule containing a bright line standard for 
notification would be easier for both the regulated entities to 
implement and for HHS to enforce. We disagree. Although a rule that 
required notification following every impermissible use or disclosure 
may appear easier for covered entities and business associates to 
implement--as no determination of the risk that the protected health 
information has been compromised would be required--in effect, a bright 
line standard would be extremely burdensome and costly for entities to 
implement. With no risk assessment following an impermissible use or 
disclosure, entities may be required to provide many notices each year 
for incidents that did not compromise the security or privacy of an 
individual's protected health information.
    Although we do not believe a bright line approach to breach 
notification is appropriate, we do agree with the commenters who 
expressed concern that the risk assessment focus on ``harm to an 
individual'' in the interim final rule was too subjective and would 
lead to inconsistent interpretations and results across covered 
entities and business associates. As a result, instead of assessing the 
risk of harm to the individual, covered entities and business 
associates must assess the probability that the protected health 
information has been compromised based on a risk assessment that 
considers at least the following factors: (1) The nature and extent of 
the protected health information involved, including the types of 
identifiers and the likelihood of re-identification; (2) the 
unauthorized person who used the protected health information or to 
whom the disclosure was made; (3) whether the protected health 
information was actually acquired or viewed; and (4) the extent to 
which the risk to the protected health information has been mitigated. 
We believe that the use of these factors, which are derived from the 
factors listed in the interim final rule as well as many of the factors 
suggested by commenters, will result in a more objective evaluation of 
the risk to the protected health information and a more uniform 
application of the rule.
    As we have modified and incorporated the factors that must be 
considered when performing a risk assessment into the regulatory text, 
covered entities and business associates should examine their policies 
to ensure that when evaluating the risk of an impermissible use or 
disclosure they consider all of the required factors. In addition, 
given the circumstances of the impermissible use or disclosure, 
additional factors may need to be considered to appropriately assess 
the risk that the protected health information has been compromised. We 
note that, although we have included this risk assessment in the final 
rule, this type of assessment of risk should not be a new or different 
exercise for covered entities and business associates. Similar 
assessments of risk that data have been compromised must be performed 
routinely following security breaches and to comply with certain State 
breach notification laws.
    The first factor requires covered entities and business associates 
to evaluate the nature and the extent of the protected health 
information involved, including the types of identifiers and the 
likelihood of re-identification of the information. To assess this 
factor, entities should consider the type of protected health 
information involved in the impermissible use or disclosure, such as 
whether the disclosure involved information that is of a more sensitive 
nature. For example, with respect to financial information, this 
includes credit card numbers, social security numbers, or other 
information that increases the risk of identity theft or financial 
fraud. With respect to clinical information, this may involve 
considering not only the nature of the services or other information 
\11\ but also the amount of detailed clinical information involved 
(e.g., treatment plan, diagnosis, medication, medical history 
information, test results). Considering the type of protected health 
information involved in the impermissible use or disclosure will help 
entities determine the probability that the protected health 
information could be used by an unauthorized recipient in a manner 
adverse to the individual or otherwise used to further the unauthorized 
recipient's own interests. Additionally, in situations where there are 
few, if any, direct identifiers in the information impermissibly used 
or disclosed, entities should determine whether there is a likelihood 
that the protected health information released could be re-identified 
based on the context and the ability to link the information with other 
available information.\12\ For example, if a covered entity 
impermissibly disclosed a list of patient names, addresses, and 
hospital identification numbers, the protected health information is 
obviously identifiable, and a risk assessment likely would determine 
that there is more than a low probability that the information has been 
compromised, dependent on an assessment of the other factors discussed 
below. Alternatively, if the covered entity disclosed a list of patient 
discharge dates and diagnoses, the

[[Page 5643]]

entity would need to consider whether any of the individuals could be 
identified based on the specificity of the diagnosis, the size of the 
community served by the covered entity, or whether the unauthorized 
recipient of the information may have the ability to combine the 
information with other available information to re-identify the 
affected individuals (considering this factor in combination with the 
second factor discussed below). We emphasize, however, that the entity 
must evaluate all the factors, including those discussed below, before 
making a determination about the probability of risk that the protected 
health information has been compromised.
---------------------------------------------------------------------------

    \11\ We caution that many forms of health information, not just 
information about sexually transmitted diseases or mental health or 
substance abuse, are sensitive.
    \12\ Information that has been de-identified in accordance with 
45 CFR 164.514(a)-(c) is not protected health information, and thus, 
any inadvertent or unauthorized use or disclosure of such 
information is not considered a breach for purposes of this rule.
---------------------------------------------------------------------------

    The second factor requires covered entities and business associates 
to consider the unauthorized person who impermissibly used the 
protected health information or to whom the impermissible disclosure 
was made. Entities should consider whether the unauthorized person who 
received the information has obligations to protect the privacy and 
security of the information. For example, as discussed in the interim 
final rule, if protected health information is impermissibly disclosed 
to another entity obligated to abide by the HIPAA Privacy and Security 
Rules or to a Federal agency obligated to comply with the Privacy Act 
of 1974 and the Federal Information Security Management Act of 2002, 
there may be a lower probability that the protected health information 
has been compromised since the recipient of the information is 
obligated to protect the privacy and security of the information in a 
similar manner as the disclosing entity. We also emphasize that this 
factor should be considered in combination with the factor discussed 
above regarding the risk of re-identification. If the information 
impermissibly used or disclosed is not immediately identifiable, 
entities should determine whether the unauthorized person who received 
the protected health information has the ability to re-identify the 
information. For example, if information containing dates of health 
care service and diagnoses of certain employees was impermissibly 
disclosed to their employer, the employer may be able to determine that 
the information pertains to specific employees based on other 
information available to the employer, such as dates of absence from 
work. In this case, there may be more than a low probability that the 
protected health information has been compromised.
    Several commenters suggested that a risk assessment need be 
completed following only impermissible disclosures of protected health 
information, since information impermissibly ``used'' remains within 
the covered entity or business associate. We disagree. The final rule 
requires a risk assessment to be performed following both impermissible 
uses and disclosures (that do not otherwise fall within the other 
enumerated exceptions to breach). However, the fact that information 
only is impermissibly used within a covered entity or business 
associate and the impermissible use does not result in further 
impermissible disclosure outside the entity, is something that may be 
taken into account in conducting the risk assessment and may reduce the 
probability that the protected health information has been compromised.
    The third factor requires covered entities and business associates 
to investigate an impermissible use or disclosure to determine if the 
protected health information was actually acquired or viewed or, 
alternatively, if only the opportunity existed for the information to 
be acquired or viewed. For example, as we discussed in the interim 
final rule, if a laptop computer was stolen and later recovered and a 
forensic analysis shows that the protected health information on the 
computer was never accessed, viewed, acquired, transferred, or 
otherwise compromised, the entity could determine that the information 
was not actually acquired by an unauthorized individual even though the 
opportunity existed. In contrast, however, if a covered entity mailed 
information to the wrong individual who opened the envelope and called 
the entity to say that she received the information in error, then, in 
this case, the unauthorized recipient viewed and acquired the 
information because she opened and read the information to the extent 
that she recognized it was mailed to her in error.
    The final factor included in the final rule requires covered 
entities and business associates to consider the extent to which the 
risk to the protected health information has been mitigated. Covered 
entities and business associates should attempt to mitigate the risks 
to the protected health information following any impermissible use or 
disclosure, such as by obtaining the recipient's satisfactory 
assurances that the information will not be further used or disclosed 
(through a confidentiality agreement or similar means) or will be 
destroyed, and should consider the extent and efficacy of the 
mitigation when determining the probability that the protected health 
information has been compromised. We note that this factor, when 
considered in combination with the factor regarding the unauthorized 
recipient of the information discussed above, may lead to different 
results in terms of the risk to the protected health information. For 
example, a covered entity may be able to obtain and rely on the 
assurances of an employee, affiliated entity, business associate, or 
another covered entity that the entity or person destroyed information 
it received in error, while such assurances from certain third parties 
may not be sufficient. As described above, certain commenters suggested 
that mitigation should only be considered where the recipient of the 
information is a business associate of the covered entity or another 
covered entity. We do not in this rule limit this factor to those 
circumstances but, as discussed above, acknowledge that the recipient 
of the information will have an impact on whether the covered entity 
can conclude that an impermissible use or disclosure has been 
appropriately mitigated.
    A covered entity's or business associate's analysis of the 
probability that protected health information has been compromised 
following an impermissible use or disclosure must address each factor 
discussed above. Other factors may also be considered where necessary. 
Covered entities and business associates must then evaluate the overall 
probability that the protected health information has been compromised 
by considering all the factors in combination, and we expect these risk 
assessments to be thorough, completed in good faith, and for the 
conclusions reached to be reasonable. If an evaluation of the factors 
discussed above fails to demonstrate that there is a low probability 
that the protected health information has been compromised, breach 
notification is required. We do note, however, that a covered entity or 
business associate has the discretion to provide the required 
notifications following an impermissible use or disclosure of protected 
health information without performing a risk assessment. Because the 
final rule clarifies the presumption that a breach has occurred 
following every impermissible use or disclosure of protected health 
information, entities may decide to notify without evaluation of the 
probability that the protected health information has been compromised. 
In the future, we will issue additional guidance to aid covered 
entities and business associates in performing risk assessments with 
respect to frequently occurring scenarios.

[[Page 5644]]

    In addition to the removal of the harm standard and the creation of 
more objective factors to evaluate the probability that protected 
health information has been compromised, we have removed the exception 
for limited data sets that do not contain any dates of birth and zip 
codes. In the final rule, following the impermissible use or disclosure 
of any limited data set, a covered entity or business associate must 
perform a risk assessment that evaluates the factors discussed above to 
determine if breach notification is not required.
    The vast majority of commenters were not supportive of the 
exception for certain limited data sets outlined in the interim final 
rule, either because they believed the exception did not go far enough 
and would chill research that needed access to birth dates and zip 
codes in limited data sets, or because of concerns regarding the re-
identifiability of the limited information to which the exception 
applied. Based on the comments, we believe it is appropriate to require 
the impermissible use or disclosure of a limited data set, even those 
that do not contain dates of birth and zip codes, to be subject to a 
risk assessment to demonstrate that breach notification is not 
required. The final rule expressly includes a factor that would require 
consideration of the re-identifiability of the information, as well a 
factor that requires an assessment of the unauthorized person who used 
the protected health information or to whom the disclosure was made 
(i.e., whether this person has the ability to re-identify the affected 
individuals). Thus, the factors are particularly suited to address the 
probability that a data set without direct identifiers has been 
compromised following an impermissible use or disclosure. Further, we 
believe in most cases that the result would be the same under this 
final rule as under the interim final rule with respect to whether an 
impermissible use or disclosure of a limited data set that also 
excludes dates of birth and zip codes constitutes a breach for which 
notification is required. Due to the lack of identifiers present in the 
protected health information, entities may reasonably determine that 
there is a low probability of risk that the information has been 
compromised; however, we stress that this is a fact specific 
determination to be made based on the circumstances of the 
impermissible use or disclosure.
    We encourage covered entities and business associates to take 
advantage of the safe harbor provision of the breach notification rule 
by encrypting limited data sets and other protected health information 
pursuant to the Guidance Specifying the Technologies and Methodologies 
that Render Protected Health Information Unusable, Unreadable, or 
Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If 
protected health information is encrypted pursuant to this guidance, 
then no breach notification is required following an impermissible use 
or disclosure of the information.
    In addition to the comments discussed above, it was suggested that 
covered entities be required to include in their notice of privacy 
practices information about how a risk assessment will be conducted or 
their internal policies for determining whether a breach has occurred 
and notification is warranted. It was also suggested that the breach 
notice to the individual following discovery of a breach of unsecured 
protected health information contain information about the covered 
entity or business associate's risk assessment to help the individual 
better assess the level of threat posed by the breach and to better 
determine the appropriate steps, if any, to take.
    We decline to require that the covered entity's notice of privacy 
practices include a description of how a risk assessment will be 
conducted, although covered entities may include such information in 
their notice of privacy practices if they choose. While each risk 
assessment will differ depending on the specific facts and 
circumstances surrounding the impermissible use or disclosure, we 
believe that the modifications in this final rule will help ensure that 
covered entities and business associates perform risk assessments more 
uniformly and objectively. We also note that the content requirements 
for the notice to the individual outlined in Sec.  164.404(c) already 
require that the individual be notified of the circumstances of a 
breach, as well as what steps individuals should take to protect 
themselves from potential harm resulting from the breach.
    One commenter suggested that we require a covered entity to hire an 
independent organization to assess the risk of an impermissible use or 
disclosure to determine if breach notification is required. We do not 
believe such a requirement is necessary, although covered entities are 
free to engage independent organizations to assist in making such 
determinations provided that, if access to protected health information 
is required, business associate agreements are entered into to protect 
the information. Further, we believe the modifications in this final 
rule are conducive to more uniform risk assessments across covered 
entities and business associates. Additionally, as with the interim 
final rule, we note that covered entities and business associates have 
the burden of proof, pursuant to Sec.  164.414, to demonstrate that all 
notifications were provided or that an impermissible use or disclosure 
did not constitute a breach and to maintain documentation (e.g., of the 
risk assessment demonstrating that there was a low probability that the 
protected health information had been compromised or of the assessment 
that the impermissible use or disclosure falls within one of the other 
exceptions to breach), pursuant to 45 CFR 164.530(j)(1)(iv), as 
necessary to meet this burden of proof. Thus, covered entities and 
business associates have adequate incentive to conduct reasonable and 
diligent risk assessments.
    Finally, after reviewing and considering the comments received 
regarding the exceptions to the definition of breach in the interim 
final rule, the Department adopts these exceptions without modification 
in this final rule. Although the substance of these exceptions has not 
changed, these exceptions are now located at paragraph (1) of the 
definition of breach instead of paragraph (2) to accommodate the 
modifications discussed above. We respond to the public comments 
addressing these exceptions, as well as other comments received on the 
definition of ``breach,'' below.
Response to Other Public Comments
    Comment: Many commenters expressed concern that violations of the 
minimum necessary standard may trigger breach notification obligations.
    Response: We do not believe it would be appropriate to exempt 
minimum necessary violations from the breach notification obligations 
as we do not believe that all minimum necessary violations present a 
low probability that the protected health information has been 
compromised. Thus, uses or disclosures that impermissibly involve more 
than the minimum necessary information, in violation of Sec. Sec.  
164.502(b) and 164.514(d), may qualify as breaches. Such incidents must 
be evaluated as any other impermissible uses or disclosures to 
determine whether breach notification is not required.
    As explained above, there are several factors to be considered when 
determining the probability that the protected health information 
involved in an impermissible use or disclosure has been compromised, 
including the

[[Page 5645]]

unauthorized person who used the information or to whom the disclosure 
was made. Thus, where a minimum necessary violation occurs in a 
disclosure to a business associate or as an internal use within a 
covered entity or business associate, the fact that the information was 
not acquired by a third party would be considered as part of the risk 
assessment and may help lead to the conclusion that there is a low 
probability that the protected health information has been compromised. 
Alternatively, covered entities and business associates may determine 
that certain minimum necessary violations fall within the exceptions to 
the definition of breach at Sec.  164.402(1)(i) or (1)(ii).
    We note that the Privacy Rule's minimum necessary standard requires 
a covered entity to make reasonable efforts to limit access to 
protected health information to those persons or classes of persons who 
need access to protected health information to carry out their duties 
and to disclose an amount of protected health information reasonably 
necessary to achieve the purpose of a disclosure. The Privacy Rule 
requires covered entities to determine and define in their policies and 
procedures how the minimum necessary standard applies to their own uses 
and disclosures. Thus, covered entities are in a good position to know 
when such policies and procedures have been violated and to assess the 
probability that the incident has compromised the security or privacy 
of the information. Finally, we will consider including further 
guidance regarding the interaction between the minimum necessary 
standard and the breach notification requirements in the guidance 
required by section 13405(b)(1)(B) of the HITECH Act.
    Comment: Several commenters asked that we clarify the differences 
between ``acquisition,'' ``access,'' ``use,'' and ``disclosure'' in the 
exceptions in the final rule. These commenters expressed confusion 
regarding the use of these terms in the first two exceptions to the 
definition of breach, stating that the term ``acquisition'' connotes a 
disclosure of information, and thus, the exception regarding 
unintentional acquisition, access, or use of protected health 
information by a workforce member or person acting under the authority 
of a covered entity or business associate implicitly includes 
disclosures of protected health information.
    Response: While the Privacy Rule uses the terms ``use'' and 
``disclosure,'' we included both ``acquisition'' and ``access'' in the 
regulatory text for consistency with the statutory language. We 
interpret ``acquisition'' and ``access'' to information based on their 
plain meanings and believe that both terms are encompassed within the 
current definitions of ``use'' and ``disclosure'' in the HIPAA Rules. 
For example, an acquisition may be a ``use'' or ``disclosure'' 
depending on who acquired the information--i.e., a workforce member or 
someone outside the covered entity, such as a business associate.
    Comment: Several commenters supported our interpretations of the 
statutory terms ``employee,'' ``same facility,'' and ``similarly 
situated individual'' with respect to the exceptions to the definition 
of breach.
    Response: We retain these clarifications in this final rule.
    Comment: Some commenters asked that we use the term ``use'' instead 
of ``disclosure'' to describe the type of information exchange 
contemplated by the exception for certain inadvertent disclosures among 
persons similarly authorized to access protected health information at 
a covered entity or business associate since the information must be 
shared within a covered entity or business associate for the exception 
to apply.
    Response: We clarify that the exception at paragraph (1)(ii) of the 
definition of ``breach'' is intended to apply to certain 
``disclosures'' that may occur ``at'' a covered entity, business 
associate, or organized health care arrangement in which the covered 
entity participates--e.g., to persons onsite at a covered entity's 
facility that are not workforce members, such as physicians with staff 
privileges at a hospital. For impermissible ``uses'' of protected 
health information among workforce members of a covered entity or a 
business associate, a covered entity or business associate should 
determine whether the exception to breach at paragraph (1)(i) regarding 
certain unintentional acquisition, access, or use by a workforce member 
or person acting under the authority of a covered entity or business 
associate applies.
    Comment: One commenter asked if breach notification is required in 
cases where an impermissible use or disclosure originally qualifies for 
either of the exceptions to breach at Sec.  164.402(1)(i) or (1)(ii) at 
the time the incident occurs but later no longer fits within the 
exception because the protected health information is further used or 
disclosed in an impermissible manner.
    Response: The applicability of an exception to breach must be 
judged at the time the incident is discovered and evaluated. If an 
exception to breach is determined to apply such that notification is 
not warranted, the inquiry into that breach ends; however, the covered 
entity or business associate should take appropriate steps to ensure 
that the information is not further used or disclosed impermissibly. 
If, sometime after making the determination that the exception applied, 
the information is impermissibly used or disclosed, the covered entity 
or business associate should treat that incident as a separate 
impermissible use or disclosure that warrants evaluation as a breach on 
its own. As explained more fully below, we treat a breach as having 
occurred at the time of the impermissible use or disclosure, which in 
the case of the first two exceptions to breach, is at the time of the 
``further'' impermissible use or disclosure.
    Comment: One commenter asked that we broaden the application of the 
inadvertent disclosure exception to apply to all routine disclosures 
between covered entities. Other commenters asked that the rule exempt 
from the breach notification obligations situations in which a covered 
entity discloses information to a business associate or another covered 
entity. Commenters noted that because covered entities and business 
associates are required to protect the privacy of protected health 
information, there is little risk that even an impermissible disclosure 
between such entities would compromise the security or privacy of the 
information.
    Response: We do not agree that such situations warrant a blanket 
exception from the breach notification rules. In appropriate cases, 
some of these impermissible disclosures among covered entities and 
covered entities and business associates may fall within the existing 
exceptions to breach at paragraphs (1)(i) and (ii) of the definition. 
Otherwise, such disclosures must be evaluated as to the probability 
that the protected health information has been compromised based on a 
risk assessment of a number of factors. While the fact that the 
recipient of an impermissible disclosure is a covered entity or 
business associate with obligations to protect the privacy and security 
of protected health information is a consideration with respect to 
assessing the risk that the protected health information has been 
compromised, it is not the only factor. For example, a covered entity 
or business associate must also evaluate the extent to which the risk 
to the protected health information has been mitigated.
    Comment: Several commenters suggested that the exceptions to breach 
should not apply to situations where

[[Page 5646]]

workforce members or employees further use or disclose information they 
unintentionally or inadvertently acquired, accessed, or used, even if 
such further use or disclosure is permitted under the Privacy Rule. 
Additionally, these commenters suggested that the breach exceptions 
should apply only in cases in which the workforce member or employee 
has taken appropriate steps to mitigate the unintentional acquisition, 
access, or use of protected health information, such as by alerting the 
sender of the misdirected information, if applicable, and returning or 
destroying it.
    Response: We do not believe it is appropriate to prohibit the 
sharing of protected health information for permissible purposes 
following an unintentional or inadvertent error by a workforce member 
or an employee. Doing so would restrict access and disclosure of the 
protected health information for necessary treatment and other 
important purposes to the extent the workforce member or employee 
needed access to the information in the future for authorized purposes, 
which would adversely affect health care delivery. We believe that the 
rule strikes an appropriate balance by not allowing workforce member 
errors to be excepted from the definition of breach in cases where the 
workforce member takes the information he or she has mistakenly 
obtained and then misuses it.
    With respect to requiring workforce members or employees to take 
appropriate steps to mitigate their unintentional access to protected 
health information, we note that the Privacy Rule already requires 
covered entities to ensure as part of their minimum necessary policies 
and procedures that workforce members have appropriate access to 
protected health information. Therefore, covered entities should ensure 
that workforce members who gain access in an unauthorized manner to 
protected health information do not continue to have such unauthorized 
access. This may require having policies which require workforce 
members to return or destroy the information to which they obtained 
unauthorized access. Further, covered entities must implement 
reasonable safeguards to protect against impermissible uses and 
disclosures, including further impermissible uses and disclosures by a 
workforce member who has gained unauthorized access to protected health 
information.
    Comment: One commenter asked that we include an exception in the 
final rule for situations in which a laptop is lost and recovered and a 
forensic analysis shows that the protected health information on the 
computer was not accessed. The commenter stated that because the 
forensic analysis showed that the information was not compromised, a 
risk assessment should not be required.
    Response: We do not include an explicit exception for this 
particular scenario. As we explained above, in cases where a lost 
laptop is recovered, the fact that a forensic analysis of the computer 
shows that its information was not accessed is a relevant consideration 
for the risk assessment, and entities in such situations may be able to 
demonstrate a low probability that the information has been 
compromised. However, covered entities and business associates still 
must document their risk assessments in these cases. We also note, as 
we did in the interim final rule, if a computer is lost or stolen, we 
do not consider it reasonable to delay breach notification based on the 
hope that the computer will be recovered.
    Comment: Some commenters asked that we create an exception to 
breach to cover certain routine impermissible disclosures of protected 
health information. For example, commenters asked that we except from 
notification disclosures made as a result of the covered entity mailing 
information to a patient's old address, faxing information to the wrong 
number, disclosures made as a result of leaving a voice message at the 
wrong number reminding a patient of an upcoming appointment, or, in 
situations where patients have identical or similar names, contacting 
the wrong patient to inform him or her that lab results were ready.
    Response: We decline to create such an exception. The ability of a 
covered entity or business associate to demonstrate that a particular 
situation poses a low probability that the protected health information 
was compromised is very fact specific and will depend on an assessment 
of all of the factors discussed above, such as to whom the information 
was disclosed, what information was disclosed, and what mitigation has 
taken place. We also note that, in some cases, some of the situations 
contemplated by the commenters may fall within an existing exception. 
For example, if a covered entity mails protected health information 
about an individual to a wrong address, the impermissible disclosure 
may fall into the exception at paragraph (1)(iii) of the definition of 
breach if the information is returned, undelivered and unopened, to the 
covered entity, such that an unauthorized recipient could not 
reasonably have retained the information. If, however, the information 
was not returned or if the covered entity was informed by the 
unauthorized recipient that he had received and opened the mail in 
error, the covered entity would need to complete a risk assessment to 
determine the probability that the protected health information had 
been compromised as a result of the impermissible disclosure.
    Comment: Several commenters asked that we harmonize the final rule 
with the FTC's Health Breach Notification final rule.
    Response: Although the FTC and HHS breach notification rules 
generally apply to different entities, HHS has worked closely with the 
FTC to ensure both sets of regulations were harmonized to the greatest 
extent possible by including the same or similar requirements within 
the constraints of the statutory language. In addition, in the few 
situations where an entity provides PHRs to customers of a HIPAA 
covered entity through a business associate arrangement but also 
provides PHRs directly to the public and a breach of its records 
occurs, in certain cases, the FTC will deem compliance with certain 
provisions of HHS' rule as compliance with FTC's rule. See 74 FR 42964. 
In particular, in such situations, it may be appropriate for the vendor 
to provide the same breach notice to all its PHR customers since it has 
a direct relationship with all the affected individuals. Thus, in those 
limited circumstances where a vendor of PHRs (1) provides notice to 
individuals on behalf of a HIPAA covered entity, (2) has dealt directly 
with these individuals in managing their PHR accounts, and (3) provides 
notice to its customers at the same time, the FTC will deem compliance 
with HHS requirements governing the timing, method, and content of 
notice to be compliance with the corresponding FTC rule provisions. 
Note, however, that the PHR vendor still must comply with all other FTC 
rule requirements, including the requirement to notify the FTC within 
ten business days after discovering the breach.
b. Definition of ``Unsecured Protected Health Information''
Interim Final Rule
    Section 13402(h)(1)(A) of the Act defines ``unsecured protected 
health information'' as ``protected health information'' that is not 
secured through the use of a technology or methodology specified by the 
Secretary in guidance issued under [section 13402(h)(2)].'' The Act at 
section 13402(h)(2) requires that the Secretary specify in the guidance 
the technologies and methodologies that

[[Page 5647]]

render protected health information unusable, unreadable, or 
indecipherable to unauthorized individuals. Accordingly, the interim 
final rule defined ``unsecured protected health information'' as 
protected health information that is not rendered unusable, unreadable, 
or indecipherable to unauthorized individuals through the use of a 
technology or methodology specified by the Secretary in guidance. This 
guidance, which was published in updated form within the preamble to 
the interim final rule and made available on the HHS Web site, 
specifies that only encryption and destruction, consistent with 
National Institute of Standards and Technology (NIST) guidelines, 
renders protected health information unusable, unreadable, or 
indecipherable to unauthorized individuals such that notification is 
not required in the event of a breach of such information.
Overview of Public Comments
    While we received a number of technical and other comments on the 
guidance, we did not receive any comments on the language of the above 
definition itself. We intend to address the comments on the guidance in 
our next update to the guidance.
Final Rule
    The final rule modifies the interim final rule's definition of 
``unsecured protected health information'' to replace the term 
``unauthorized individuals'' in the definition with ``unauthorized 
persons.'' The term ``individual'' is defined in Sec.  160.103 to mean 
the person who is the subject of the protected health information, 
which is not what is intended with the reference to ``individual'' in 
the definition of ``unsecured protected health information.'' 
Accordingly, the final rule uses more appropriately the term 
``unauthorized persons.'' The final rule also modifies the definition 
to remove the term ``on the HHS Web site'' as unnecessary language. 
While we remove the reference to the HHS Web site from the regulatory 
text, we do plan to continue to post updates to the guidance on the Web 
site as they are issued.
2. Section 164.404--Notification to Individuals
Interim Final Rule
    Section 13402(a) of the Act provides that a covered entity that 
accesses, maintains, retains, modifies, records, stores, destroys, or 
otherwise holds, uses, or discloses unsecured protected health 
information shall, in the case of a breach of such information that is 
discovered by the covered entity, notify each affected individual whose 
unsecured protected health information has been, or is reasonably 
believed by the covered entity to have been, accessed, acquired, or 
disclosed as a result of such breach. Accordingly, Sec.  164.404(a)(1) 
of the interim final rule included the general rule that a covered 
entity shall, following the discovery of a breach of unsecured 
protected health information, notify each individual whose unsecured 
protected health information has been, or is reasonably believed to 
have been accessed, acquired, used, or disclosed as a result of such 
breach.
Breaches Treated as Discovered
    Section 13402(c) of the HITECH Act states that a breach shall be 
treated as discovered by a covered entity or business associate as of 
the first day on which such breach is known or should reasonably have 
been known to the covered entity or business associate. The Act also 
specifies that this discovery is triggered as soon as any person, other 
than the individual committing the breach, who is an employee, officer, 
or other agent of the covered entity or business associate knows or 
should reasonably have known of the breach.
    Section 164.404(a)(2) of the interim final rule implemented the 
Act's discovery provision, with respect to covered entities by stating 
that a breach shall be treated as discovered by a covered entity on the 
first day the breach is known to the covered entity, or by exercising 
reasonable diligence would have been known to the covered entity. The 
interim final rule incorporated the term ``by exercising reasonable 
diligence,'' which is used in the HIPAA Enforcement Rule and defined to 
mean the ``business care and prudence expected from a person seeking to 
satisfy a legal requirement under similar circumstances.''
    Section 164.404(a)(2) of the interim final rule further provided, 
in accordance with the Act, that a covered entity is deemed to have 
knowledge of a breach if such breach is known, or by exercising 
reasonable diligence would have been known, to any person other than 
the person committing the breach, who is a workforce member or agent of 
the covered entity. Thus, the breach is treated as discovered by the 
covered entity at the time the workforce member or other agent has 
knowledge of the breach. The rule also clarified that the federal 
common law of agency controls in determining who is an agent of the 
covered entity, which is consistent with how agency liability is 
determined under the HIPAA Rules.
Overview of Public Comments
    Several commenters argued that a breach should be treated as 
discovered by a covered entity only after management has been notified 
of the incident. Commenters stated that the Department should not hold 
an entity responsible for knowing of a breach if an appropriately 
trained employee fails to inform the proper persons within the entity 
of a breach. Other commenters asked for guidance and more clarification 
regarding what it means for a covered entity or business associate to 
be exercising reasonable diligence, such as what frequency of 
monitoring for breaches is expected or what types of systems must 
covered entities and business associates have in place to detect 
breaches.
Final Rule
    We retain Sec.  164.404(a)(2) in this final rule without 
modification. We decline to adopt the suggestion that a covered entity 
be deemed to have discovered a breach only when management is notified 
of the breach. The HITECH Act itself provides that a breach is to be 
treated as discovered by a covered entity or business associate if 
``any person, other than the individual committing the breach, that is 
an employee, officer, or other agent of such entity or associate'' 
knows or should reasonably have known of the breach. This concept is 
also consistent with the HIPAA Enforcement Rule and the Federal common 
law of agency. We encourage covered entities and business associates to 
ensure their workforce members and other agents are adequately trained 
on the importance of prompt reporting of privacy and security 
incidents.
    With respect to those commenters asking for guidance on what it 
means for a covered entity to be exercising reasonable diligence, we 
note that the term reasonable diligence, as defined in Sec.  160.401, 
means the business care and prudence expected from a person seeking to 
satisfy a legal requirement under similar circumstances. The 
determination of whether a person acted with reasonable diligence is 
generally a factual one, since what is reasonable depends on the 
circumstances. Factors to be considered include whether a covered 
entity or business associate took reasonable steps to learn of breaches 
and whether there were indications of breaches that a person seeking to 
satisfy the Rule would have investigated under similar circumstances. 
Covered entities and business associates may wish to look to how other 
covered entities and business associates operating under

[[Page 5648]]

similar circumstances conduct themselves for a standard of practice.
Timeliness
    Section 13402(d) of the Act and the implementing regulations at 
Sec.  164.404(b) require covered entities to notify individuals of a 
breach without unreasonable delay but in no case later than 60 calendar 
days from the discovery of the breach, except in certain circumstances 
where law enforcement has requested a delay. Under this rule, the time 
period for breach notification begins when the incident is first known, 
not when the investigation of the incident is complete, even if it is 
initially unclear whether the incident constitutes a breach as defined 
in the rule. A covered entity is expected to make the individual 
notifications as soon as reasonably possible after the covered entity 
takes a reasonable time to investigate the circumstances surrounding 
the breach in order to collect and develop the information required to 
be included in the notice to the individual. The 60 days is an outer 
limit and therefore, in some cases, it may be an ``unreasonable delay'' 
to wait until the 60th day to provide notification.
Overview of Public Comments
    While some commenters generally were supportive of this provision 
in the interim final rule, others argued that the 60-day timeframe for 
notification to individuals is unreasonable and requested more time, 
such as 120 days, to provide the notifications. Some commenters argued 
that the clock on the 60-day timeframe should not begin to run until 
after a covered entity has completed its investigation and determined 
that a breach has occurred. Another commenter expressed the need for 
clarification about the types of delays in notifying individuals that 
would be considered reasonable and whether a covered entity's resources 
would be taken into account in determining whether any delay was 
reasonable.
Final Rule
    We retain Sec.  164.404(b) in this final rule without modification. 
This is the standard expressly provided for in the statute and we 
otherwise do not believe it necessary or prudent to extend the 
timeframe. Covered entities and business associates have been operating 
under this timeliness standard since the issuance of the interim final 
rule and we believe a longer time period to notify individuals of 
breaches of unsecured protected health information could adversely 
impact affected individuals and the ability to mitigate adverse 
consequences. For the same reasons, we continue to provide that the 
time period begins to run when the incident becomes known, not when it 
is determined that a breach as defined by the rule has occurred. There 
is sufficient time within this standard both to conduct a prompt 
investigation of the incident and to notify affected individuals.
    With respect to what constitutes a reasonable versus unreasonable 
delay within the 60-day timeframe, such determinations are fact 
specific and there are many factors that may be relevant, including the 
nature of the breach, number of individuals affected, and resources of 
the covered entity.
Content of the Notification
    Section 13402(f) of the HITECH Act set forth the content 
requirements for the breach notice to the individual. Section 
164.404(c) of the interim final rule incorporated the statutory 
elements, requiring the following information be included in the 
notices, to the extent possible: (1) A brief description of what 
happened, including the date of the breach and the date of the 
discovery of the breach, if known; (2) a description of the types of 
unsecured protected health information that were involved in the breach 
(such as whether full name, social security number, date of birth, home 
address, account number, diagnosis, disability code, or other types of 
information were involved); (3) any steps individuals should take to 
protect themselves from potential harm resulting from the breach; (4) a 
brief description of what the covered entity involved is doing to 
investigate the breach, mitigate the harm to individuals, and to 
protect against any further breaches; and (5) contact procedures for 
individuals to ask questions or learn additional information, which 
shall include a toll-free telephone number, an email address, Web site, 
or postal address.
    The interim final rule added the term ``diagnosis,'' to the 
parenthetical listing of examples of types of protected health 
information, which was not in the statute, to make clear that, where 
appropriate, a covered entity may need to indicate in the notification 
to the individual whether and what types of treatment information were 
involved in a breach. In addition, with respect to a covered entity's 
mitigation, the interim final rule replaced the statutory term 
``mitigate losses'' with ``mitigate harm to individuals'' to make clear 
that the notification should describe the steps the covered entity is 
taking to mitigate potential harm to individuals resulting from the 
breach and that such harm is not limited to economic loss.
    To address the readability and accessibility of the notice, the 
interim final rule made a number of clarifications. First, the 
Department included in the interim final rule a requirement that the 
breach notices be written in plain language so that individuals will be 
able to understand them more easily, which means the notice should be 
written at an appropriate reading level, using clear language and 
syntax, and not include any extraneous material that might diminish the 
message it is trying to convey.
    Second, the interim final rule explained that some covered entities 
may have obligations under other laws with respect to their 
communication with affected individuals. For example, to the extent a 
covered entity is obligated to comply with Title VI of the Civil Rights 
Act of 1964, the covered entity must take reasonable steps to ensure 
meaningful access for Limited English Proficient persons to the 
services of the covered entity, which could include translating the 
notice into frequently encountered languages. Similarly, to the extent 
that a covered entity is required to comply with Section 504 of the 
Rehabilitation Act of 1973 or the Americans with Disabilities Act of 
1990, the covered entity has an obligation to take steps that may be 
necessary to ensure effective communication with individuals with 
disabilities, which could include making the notice available in 
alternate formats, such as Braille, large print, or audio.
Overview of Public Comments
    Several commenters stated that the content requirements for breach 
notification were too vague. Some commenters asked that we provide 
templates or sample notices to be used by covered entities. Other 
commenters asked for more specific guidance about particular required 
content elements of the notice, such as what information should be 
provided to individuals about a covered entity's or business 
associate's mitigation efforts and regarding any employee sanctions, 
particularly if a company has policies that require certain employment 
actions be kept confidential. It was also suggested that we publish a 
list of actions to be included in the notices based on the type of 
breach with respect to the steps individuals should take to protect 
themselves from harm. Some commenters also asked that the Department 
clarify that the requirement

[[Page 5649]]

to include ``a brief description of what happened'' would not require 
the covered entity or business associate to describe how the breach 
occurred such that it would create a roadmap for future breaches.
Final Rule
    We retain Sec.  164.404(c) in this final rule without modification. 
The content requirements in the Rule generally mirror the content 
requirements in the statute and each element is an important component 
of the notice to ensure individuals receive the information they need 
to protect themselves to the extent possible from the consequences of a 
breach and to learn what is being done to mitigate the breach and 
prevent future breaches. At the same time, the content provisions are 
sufficiently flexible to allow covered entities and business associates 
to tailor the breach notices based on the circumstances surrounding the 
breach and of the entity. In our experience in administering the Rule 
since 2009, the Rule provides sufficient flexibility to describe to the 
individual the circumstances surrounding the breach in a more general 
manner that still provides the individual with pertinent information 
but that does not provide a roadmap to third parties for future 
breaches. For example, the notice need not explain the exact type of 
vulnerability in the security of a covered entity's electronic records 
system that led to unauthorized access and how that vulnerability was 
exploited. Similarly, a covered entity has flexibility in describing 
what the covered entity is doing in response to a breach. Where 
employee sanctions are relevant based on the circumstances of the 
breach, a covered entity may determine that it wants to describe the 
sanctions imposed more generally and nothing in the Rule would require 
that the notice include the names of the employees involved. For 
example, a covered entity may want to indicate generally that the 
employees involved have been appropriately disciplined, particularly if 
multiple employees received varying levels of sanctions based on their 
degrees of involvement in the breach. In other cases, it may benefit 
the covered entity to be more specific so as to better assure 
individuals that the entity is appropriately addressing the situation, 
such as indicating that an employee who improperly accessed and sold 
patient information was promptly terminated.
    With respect to templates, examples, or other guidance, the 
Department anticipates providing additional guidance in the future.
Methods of Notification
    Section 13402(e)(1) of the HITECH Act provides for both actual 
written notice to affected individuals, as well as substitute notice to 
affected individuals if contact information is insufficient or out-of-
date. Specifically, the statute requires breach notifications to be 
sent by first-class mail at the last known address of the individual or 
next of kin if the individual is deceased, or by electronic mail if 
specified as the preferred method by the individual. The Act also 
provides that the notification may be provided in one or more mailings 
as the information becomes available. Where there is insufficient or 
out-of-date contact information that precludes direct written notice to 
the individual, the statute requires that a substitute form of notice 
be provided to the individual. If there is insufficient contact 
information for 10 or more individuals, the Act requires that the 
substitute notice be a conspicuous posting on the home page of the 
covered entity's Web site or notice in major print or broadcast media 
in the geographic areas where the affected individuals likely reside, 
and in either case, that a toll-free number be included where 
individuals can learn whether their information was possibly included 
in the breach. Finally, the Act provides that a covered entity may 
provide notice by telephone or other means to individuals, in addition 
to direct written notice by first-class mail or email, in urgent 
situations involving possible imminent misuse of the individual's 
information.
    Section 164.404(d) of the interim final rule set forth these 
methods for providing breach notification to affected individuals. 
Section 164.404(d)(1)(i) of the interim final rule required a covered 
entity to provide breach notice to an affected individual in written 
form by first-class mail at the individual's last known address. The 
interim final rule also permitted covered entities to provide this 
written notice in the form of electronic mail if the individual has 
agreed to receive electronic notice and that agreement has not been 
withdrawn.
    The Department clarified that, consistent with Sec.  164.502(g) of 
the Privacy Rule, where the individual affected by a breach is a minor 
or otherwise lacks legal capacity due to a physical or mental 
condition, notice to the parent or other person who is the personal 
representative of the individual would satisfy the requirements of 
Sec.  164.404(d)(1). Additionally, with respect to deceased 
individuals, the interim final rule at Sec.  164.404(d)(1)(ii) provided 
that notice of a breach be sent to either the individual's next of kin 
or personal representative, as such term is used for purposes of the 
Privacy Rule, recognizing that in some cases, a covered entity may have 
contact information for a personal representative of a deceased 
individual rather than the next of kin. To address administrative and 
privacy concerns with a covered entity being required to obtain contact 
information for the next of kin of a deceased patient in cases where 
the individual did not otherwise provide the information while alive, 
the interim final rule also clarified that a covered entity is only 
required to provide notice to the next of kin or personal 
representative if the covered entity both knows the individual is 
deceased and has the address of the next of kin or personal 
representative of the decedent.
    If a covered entity does not have sufficient contact information 
for some or all of the affected individuals, or if some notices are 
returned as undeliverable, the interim final rule required a covered 
entity to provide substitute notice for the unreachable individuals in 
accordance with Sec.  164.404(d)(2). The interim final rule required 
that substitute notice be provided as soon as reasonably possible after 
the covered entity is aware that it has insufficient or out-of-date 
contact information for one or more affected individuals and that the 
notice contain all the elements that Sec.  164.404(c) requires be 
included in the direct written notice to individuals. With respect to 
decedents, however, the interim final rule provided that a covered 
entity is not required to provide substitute notice for the next of kin 
or personal representative in cases where the covered entity either 
does not have contact information or has out-of-date contact 
information for the next of kin or personal representative.
    Section 164.404(d)(2) of the interim final rule required that, 
whatever method used, the substitute form of notice be reasonably 
calculated to reach the individuals for whom it is being provided. If 
there are fewer than 10 individuals for whom the covered entity has 
insufficient or out-of-date contact information to provide the written 
notice, Sec.  164.404(d)(2)(i) of the interim final rule permitted the 
covered entity to provide substitute notice to such individuals through 
an alternative form of written notice, by telephone, or other means. 
For example, if a covered entity learned that the home address it has 
for one of its patients was out-of-date, but it had the patient's email 
address or telephone number, it could provide

[[Page 5650]]

substitute notice by email (even if the patient had not agreed to 
electronic notice) or by phone. Alternatively, posting a notice on the 
Web site of the covered entity or at another location may be 
appropriate if the covered entity lacks any current contact information 
for the patients, so long as the posting is done in a manner that is 
reasonably calculated to reach the individuals.
    If a covered entity has insufficient or out-of-date contact 
information for 10 or more individuals, then Sec.  164.404(d)(2)(ii) of 
the interim final rule required the covered entity to provide 
substitute notice through either a conspicuous posting for a period of 
90 days on the home page of its Web site or conspicuous notice in major 
print or broadcast media in geographic areas where the individuals 
affected by the breach likely reside. For either method involving 10 or 
more individuals, the covered entity was also required to have a toll-
free phone number, active for 90 days, where an individual can learn 
whether the individual's unsecured protected health information may be 
included in the breach and to include the number in the notice.
    If a covered entity chooses to provide substitute notice on its Web 
site, the covered entity may provide all the information described at 
Sec.  164.404(c) directly on its home page (``home page'' includes the 
home page for visitors to the covered entity's Web site and the landing 
page or login page for existing account holders) or may provide a 
prominent hyperlink on its home page to the notice containing such 
information.
    If the covered entity does not have or does not wish to use a Web 
site for the substitute notice, the interim final rule required the 
covered entity to provide substitute notice of the breach in major 
print or broadcast media in geographic areas where the individuals 
affected by the breach likely reside. What is considered major print or 
broadcast media for a metropolitan area may be very different from what 
is considered major print or broadcast media in a rural area, such that 
the use of local, city, or state-wide media may be appropriate 
depending on the circumstances. Further, multiple media outlets may 
need to be utilized to reasonably reach individuals in different 
regions or States. In any event, substitute media notice, as with 
substitute Web notice, must be conspicuous and thus, covered entities 
should consider the location and duration of the notice to ensure the 
notice is reasonably calculated to reach the affected individuals.
    Finally, we clarified that covered entities with out-of-date or 
insufficient contact information for some individuals can attempt to 
update the contact information so that they can provide direct written 
notification, in order to limit the number of individuals for whom 
substitute notice is required and, thus, potentially avoid the 
obligation to provide substitute notice through a Web site or major 
print or broadcast media under Sec.  164.404(d)(2)(ii).
    In accordance with the statute, Sec.  164.404(d)(3) makes clear 
that notice to the individual by telephone or other means may be 
provided, in addition to the direct written notice required by Sec.  
164.404(d)(1), in cases deemed by the covered entity to require urgency 
because of possible imminent misuse of unsecured protected health 
information.
Overview of Public Comments
    Several commenters questioned which entity has the responsibility 
for providing notifications to individuals when a breach occurs at or 
by a business associate and whether a covered entity could delegate its 
breach notification obligations to a business associate. Some 
commenters asked about the notification obligations in cases where a 
covered entity's business associate that experiences a breach is also a 
covered entity itself. Others requested clarification regarding the 
obligations for providing breach notification where multiple covered 
entities and business associates are involved in health information 
exchange and it may be unclear where a breach occurred and/or which 
entity has responsibility for the breach.
    Additionally, many commenters suggested that covered entities be 
permitted to provide notification to individuals via telephone or 
orally instead of via written communication, or at a work address 
instead of a home address, if the individual has specified one of these 
alternative methods or locations as preferred for receiving breach 
notification. Commenters raised potential privacy concerns with 
communicating with individuals via mail to their home, particularly 
where the individual has received highly confidential medical services, 
such as substance abuse or mental health services, and others who may 
have access to the mail may not otherwise be aware of such condition or 
treatment. Some commenters argued that because the Privacy Rule 
requires covered entities to accommodate reasonable requests by 
individuals to receive communications by alternative means or at 
alternative locations, the same standard should apply to the provision 
of breach notification.
    Finally, several commenters expressed concern over the substitute 
notice required in cases in which the covered entity has insufficient 
or out-of-date contact information for affected individuals. Many of 
these commenters stated that providing notification via Web posting or 
media publication is an inappropriate method of providing substitute 
notice, except in cases in which the covered entity can reasonably 
define the universe of affected individuals. In other cases, such 
notice will not give individuals who view the notice enough information 
to determine if they are affected by a breach, and may cause unaffected 
individuals unnecessary alarm. Some commenters recommended that covered 
entities instead be required to use reasonable efforts to identify 
alternative means of providing direct notice to the affected 
individuals, such as by phone or email, or to only require substitute 
media or Web notice when a covered entity cannot reach 10 or more 
individuals directly by mail, phone, or email. Other commenters argued 
that the substitute notice requirements, particularly the requirement 
to establish a toll-free number, may be cost prohibitive to smaller 
covered entities. It was also suggested that smaller covered entities, 
particularly those in rural areas, should be allowed to provide 
substitute notice via handouts or postings at the covered entity's 
physical location even in cases where the entity has insufficient 
contact information for more than 10 individuals.
Final Rule
    We retain Sec.  164.404(d) in this final rule without modification. 
In response to questions raised with respect to a breach at or by a 
business associate, we note that the covered entity ultimately 
maintains the obligation to notify affected individuals of the breach 
under Sec.  164.404, although a covered entity is free to delegate the 
responsibility to the business associate that suffered the breach or to 
another of its business associates. This is the case even if the breach 
of the covered entity's protected health information occurred at or by 
a business associate that is also a covered entity. For example, if a 
covered provider (Provider A) hires another covered provider's practice 
(Provider B) as a business associate to perform his billing and other 
back office functions, and a breach of Provider A's protected health 
information occurs at Provider B while performing these functions for 
Provider A, it remains Provider A's responsibility to provide breach 
notification to the affected individuals, although Provider A may 
delegate this

[[Page 5651]]

responsibility to Provider B as its business associate.
    Covered entities and business associates should consider which 
entity is in the best position to provide notice to the individual, 
which may depend on various circumstances, such as the functions the 
business associate performs on behalf of the covered entity and which 
entity has the relationship with the individual.
    Similarly, when multiple covered entities participate in electronic 
health information exchange and there is a breach of unsecured 
protected health information at a Health Information Organization 
(HIO), the obligation to notify individuals of the breach falls to the 
covered entities. We recognize that it may be difficult to determine 
what breached information is attributable to which covered entity's 
individuals. For example, an HIO may store centralized electronic 
health records (EHRs) for a community, with each EHR including 
information generated by multiple covered entities. In such 
circumstances, it may be necessary for the HIO to notify all 
potentially affected covered entities and for those covered entities to 
delegate to the HIO the responsibility of sending the required 
notifications to the affected individuals. This would avoid the 
confusion of individuals receiving more than one notification about the 
same breach.
    In response to the commenters who suggested that covered entities 
be permitted to accommodate reasonable requests by individuals to 
receive breach notifications by alternative means or at alternative 
locations, we provide the following guidance. The HITECH Act requires a 
covered entity to provide breach notification to an affected individual 
in written form either at the last known address of the individual or 
email address, if the individual agrees to receive notice 
electronically, where the covered entity has sufficient contact 
information to do so. The Act and this rule do not prohibit a covered 
entity from sending a breach notice to an alternative address rather 
than a home address, such as a work address or post office box, or the 
individual's email address of choice, if the individual requests 
communications be sent to such an address. Further, a covered health 
care provider (and health plan, if potential endangerment is raised by 
the individual) is required by the Privacy Rule at Sec.  164.522 to 
accommodate any such reasonable requests.
    In response to those commenters who urged that we allow breach 
notices to be provided orally or via telephone to individuals receiving 
highly confidential treatment services where the individual has 
requested to receive communications in such a manner, we note that the 
HITECH Act specifically refers to ``written'' notice to be provided to 
individuals. However, we understand the privacy concerns raised. We, 
thus, clarify that in the limited circumstances in which an individual 
has agreed only to receive communications from a covered health care 
provider orally or by telephone, the provider is permitted under the 
Rule to telephone the individual to request and have the individual 
pick up their written breach notice from the provider directly. In 
cases in which the individual does not agree or wish to travel to the 
provider to pick up the written breach notice, the health care provider 
should provide all of the information in the breach notice over the 
phone to the individual, document that it has done so, and the 
Department will exercise enforcement discretion in such cases with 
respect to the ``written notice'' requirement. We stress that our 
enforcement discretion applies only to cases where the individual 
affirmatively chooses not to receive communications from a covered 
health care provider at any written addresses or email addresses, and 
not to situations where providing telephonic notice is simply less 
burdensome or easier on a provider and the entity has a valid address, 
or email address if applicable, on file for the affected individual.
    Finally, with respect to commenters who expressed concerns with the 
substitute media and Web notice provisions of the interim final rule, 
we emphasize that these are statutory requirements that have been 
incorporated into the Rule. Section 13402(e)(1)(B) of the HITECH Act 
expressly requires that a covered entity that has insufficient or out-
of-date contact information for 10 or more individuals provide 
substitute notification to such individuals via posting on their Web 
site or notification in major print or broadcast media in the areas in 
which the affected individuals likely reside. Additionally, the statute 
requires such ``notice in media or web posting will include a toll-free 
phone number where an individual can learn whether or not the 
individual's unsecured protected health information is possibly 
included in the breach.'' Thus, we retain these requirements in this 
final rule.
Response to Other Public Comments
    Comment: One commenter expressed concern about providing breach 
notification to individuals by first-class mail because it could 
require some entities, such as those that have Web-based relationships 
with individuals, to collect more information about individuals (e.g., 
physical addresses) than they currently do.
    Response: The Rule allows a covered entity to provide written 
breach notice to an affected individual by email if the individual 
agrees to electronic notice and such agreement has not been withdrawn. 
We would expect that covered entities that have primarily or solely an 
online relationship with individuals would ask and encourage 
individuals to receive breach notices by email and that generally 
individuals would agree. However, an individual that does not 
affirmatively agree to receive breach notices by email, or that 
withdraws a prior agreement, has a right to notice by first-class mail.
    Comment: One commenter suggested that we excuse a covered entity 
from providing notification of a breach to an individual where a 
licensed health care professional has determined in the exercise of 
professional judgment that the provision of such notice is likely to 
cause substantial harm to the individual. The commenter appeared to be 
concerned due to the nature of the services it provides--mental health 
services--and the distress breach notification could cause for certain 
of its patients.
    Response: The statute does not include such an exception to the 
provision of breach notification, and we do not include one in this 
Rule. An affected individual has a right to be informed of breaches of 
unsecured protected health information so the individual can take steps 
if appropriate to protect themselves from the consequences. In 
situations where a health care provider believes that the provision of 
written breach notification to an individual may cause extreme anguish 
or distress, based on the individual's mental state or other 
circumstances, the provider may telephone the individual prior to the 
time the breach notice is mailed or have them come into the provider's 
office to discuss the situation. However, we note that the breach 
notification must still be mailed without unreasonable delay and in no 
case later than 60 calendar days after discovery of the breach. Where a 
provider is aware that an individual has a personal representative due 
to incapacity or other health condition, the breach notification may be 
sent to the personal representative.
    Comment: Many commenters expressed support for allowing covered 
entities to provide breach notification to a deceased individual's 
personal representative instead of to the next of

[[Page 5652]]

kin. One commenter suggested that we also allow covered entities to 
provide breach notification to the emergency contact provided by a 
deceased individual prior to death as this is the information they 
collect from individuals and yet this person may not be the next of kin 
or a personal representative of the deceased individual.
    Response: We do not believe it appropriate to permit covered 
entities to send breach notifications to a deceased individual's 
emergency contact where such person is not a personal representative 
(such as an executor or administrator of the decedent's estate) or next 
of kin of the decedent, as such notices may convey information about 
the decedent's care the decedent never wished the emergency contact to 
have and/or may go to a person who has no authority to act on the 
notice.
    Comment: To reduce the costs associated with sending breach 
notifications, one commenter asked that we adopt the Department of 
Labor's standard for providing COBRA Election Notices to allow a 
covered entity to: (1) Where a breach affects both a plan participant 
and the participant's spouse, send one breach notice addressed to both 
if both spouses reside at the same address; and (2) where a breach 
affects a dependent child (of any age) under a plan, send a breach 
notice to either the plan participant and/or the participant's spouse, 
provided the dependent child resides at the same address. The commenter 
stated the notice should clearly identify the individuals or classes of 
individuals to whom the notice applies.
    Response: A covered entity is permitted to send one breach notice 
addressed to both a plan participant and the participant's spouse or 
other dependents under the plan who are affected by a breach, so long 
as they all reside at a single address and the covered entity clearly 
identifies on the notice the individuals to which the notice applies. 
Further, a covered entity may send a notice regarding the breach of a 
dependent child's protected health information addressed to the plan 
participant and/or participant's spouse living with the dependent 
child, so long as the participant and/or participant's spouse are the 
personal representatives of the dependent child and the notice clearly 
identifies to whom it applies. Such notices by first-class mail would 
meet the written notice requirements of Sec.  164.404(d)(1)(i). 
However, one breach notice covering both the plan participant and the 
dependents under the plan mailed to the plan participant's address 
would not suffice if the address of one or more dependents affected by 
the breach was different than the participant's address. Further, where 
a plan participant (and/or spouse) is not the personal representative 
of a dependent under the plan, a covered entity must address a breach 
notice to the dependent himself or herself.
    Comment: Several commenters expressed support for the 
acknowledgment in the preamble to the interim final rule that some 
covered entities may have obligations under Civil Rights laws to ensure 
that breach notifications are provided to individuals in alternative 
languages, and in alternative formats, such as Braille, large print, or 
audio, where appropriate. Some commenters requested additional guidance 
regarding how to ensure compliance with these laws with respect to 
breach notifications.
    Response: Additional guidance on how to comply with Title VI of the 
Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 
1973, and the Americans with Disabilities Act of 1990, is available on 
the OCR Web site at https://www.hhs.gov/ocr/civilrights/. Further, 
covered entities with questions on how to comply may contact one of 
OCR's ten regional offices. Contact information is available at https://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html.
    Comment: Some commenters suggested that the final rule adopt a 
substitute notification provision similar to that in many State laws 
that allows for substitute notification, rather than direct written 
notice, to the individual in the event of breaches affecting a very 
large number of individuals, such as over 250,000 or 500,000, where the 
costs of notification would be extremely high.
    Response: The Act does not waive direct written notice to the 
individual when a breach has affected a threshold number of individuals 
and we do not do so in this rule.
    Comment: One commenter requested confirmation that a covered entity 
could make multiple attempts to provide direct written notice to 
individuals within the 60-day timeframe before the individual counts 
towards the 10 or more threshold for providing substitute Web or media 
notice.
    Response: We clarify that a covered entity can attempt to cure out-
of-date contact information on individuals when notices are returned as 
undeliverable by the United States Postal Service to avoid substitute 
notice so long as a covered entity does so promptly upon receiving the 
returned notices and no later than 60 calendar days from discovery of 
the breach. However, at the time the covered entity is aware that it 
will be unable to reach 10 or more individuals with direct written 
notice, the covered entity should provide substitute Web or media 
notice as soon as reasonably possible thereafter, which may be prior to 
the end of the 60-day period depending on the circumstances.
    Comment: One commenter stated that the required content of the 
breach notice itself, when made available to the public through the Web 
or media, could lead to the identification of individuals affected by 
the breach in some cases, undermining the intent of HIPAA's privacy and 
security protections.
    Response: It is unclear the circumstances to which the commenter 
refers. For example, the notification must include the types of 
protected health information involved (e.g., social security numbers, 
dates of birth, full names). However, this is not a requirement to 
include in the notice the actual names or other identifiers of the 
affected individuals. We believe covered entities are able to post 
breach notices in a manner that does not identify particular 
individuals affected by a breach and thus, must do so.
    Comment: One commenter asked that OCR engage in an educational 
campaign to ensure that covered entities and business associates 
understand their obligations under the breach notification rule.
    Response: Published guidance is the primary method that the 
Department uses to educate and provide technical assistance to covered 
entities and business associates. We intend to issue guidance on these 
requirements in the future as questions are raised or clarifications 
sought.
3. Section 164.406--Notification to the Media
    Section 13402(e)(2) of the HITECH Act, implemented at Sec.  164.406 
of the interim final rule, requires that a covered entity provide 
notice of a breach to prominent media outlets serving a State or 
jurisdiction, following the discovery of a breach if the unsecured 
protected health information of more than 500 residents of such State 
or jurisdiction is, or is reasonably believed to have been, accessed, 
acquired, or disclosed during such breach. This media notice is in 
addition to, not a substitute for, individual notice. In accordance 
with the Act, Sec.  164.406(b) of the interim final rule required 
covered entities to notify prominent media outlets without unreasonable 
delay and in no case later than 60 calendar days after discovery of the 
breach. Section 164.406(c) of the interim final rule required that the

[[Page 5653]]

notification to the media include the same information required to be 
included in the notification to the individual under Sec.  164.404(c).
    The interim final rule did not define ``prominent media outlet'' 
because what constitutes a prominent media outlet will differ depending 
upon the State or jurisdiction affected. For a breach affecting more 
than 500 individuals across a particular state, a prominent media 
outlet may be a major, general interest newspaper with a daily 
circulation throughout the entire state. In contrast, a newspaper 
serving only one town and distributed on a monthly basis, or a daily 
newspaper of specialized interest (such as sports or politics) would 
not be viewed as a prominent media outlet. Where a breach affects more 
than 500 individuals in a limited jurisdiction, such as a city, then a 
prominent media outlet may be a major, general-interest newspaper with 
daily circulation throughout the city, even though the newspaper does 
not serve the whole State.
    With regard to the term ``State,'' the existing definition of 
``State'' at Sec.  160.103 of the HIPAA Rules applies. Section Sec.  
160.103 defines ``State'' to mean ``any one of the several States, the 
District of Columbia, the Commonwealth of Puerto Rico, the Virgin 
Islands, and Guam.'' We also expressly provided in the regulation that 
``State'' for purposes of notice to the media includes American Samoa 
and the Northern Mariana Islands, because they were included in the 
HITECH Act's definition of ``State'' in addition to what appears in the 
definition at Sec.  160.103. With respect to what was meant by 
``jurisdiction'' as opposed to a ``State,'' jurisdiction is a 
geographic area smaller than a state, such as a county, city, or town.
    The interim final rule also clarified that some breaches involving 
more than 500 individuals who are residents in multiple States may not 
require notice to the media. For example, if a covered entity discovers 
a breach of 600 individuals, 200 of which reside in Virginia, 200 of 
which reside in Maryland, and 200 of which reside in the District of 
Columbia, the breach did not affect more than 500 residents of any one 
State or jurisdiction, and as such, notification is not required to be 
provided to the media pursuant to Sec.  164.406. However, individual 
notification under Sec.  164.404 would be required, as would 
notification to the Secretary under Sec.  164.408 because the breach 
involved 500 or more individuals.
    The Department also recognized that in some cases a breach may 
occur at a business associate and involve the protected health 
information of multiple covered entities. In such cases, a covered 
entity involved would only be required to provide notification to the 
media if the information breached included the protected health 
information of more than 500 individuals located in any one State or 
jurisdiction. For example, if a business associate discovers a breach 
affecting 800 individuals in a State, the business associate must 
notify the appropriate covered entity (or covered entities) subject to 
Sec.  164.410 (discussed below). If 450 of the affected individuals are 
patients of one covered entity and the remaining 350 are patients of 
another covered entity, because the breach has not affected more than 
500 individuals at either covered entity, there is no obligation to 
provide notification to the media under this section.
    Section 164.406(c) requires that the notice to the media include 
the same content as that required for notification to the individual 
under Sec.  164.404(c), and we emphasized that this provision does not 
replace either direct written or substitute notice to the individual 
under Sec.  164.404.
Overview of Public Comments
    In general, we received few comments on this provision of the 
interim final rule. One commenter expressed general support for this 
provision because it does not require the covered entity to incur the 
cost of printing or running the media notice and asked for 
clarification that this policy places no requirement on the media to 
publically report the information provided by a covered entity. Another 
commenter asked whether a covered entity could fulfill the requirements 
for providing media notification by posting a press release on the 
covered entity's Web site.
Final Rule
    We retain Sec.  164.406 in this final rule with one minor change. 
As described in Section IV above, to align the definition of ``State'' 
in the HIPAA Rules with the definition of the same term used in the 
HITECH Act, the Department has modified the definition of ``State'' at 
Sec.  160.103 to include reference to American Samoa and the Northern 
Mariana Islands. Given this change, it is not necessary to include 
specific reference to American Samoa and the Northern Mariana Islands 
at Sec.  164.406 and we remove it in this final rule.
    In response to public comments, we clarify that Sec.  164.406 does 
not require a covered entity to incur any cost to print or run media 
notice about a breach of unsecured protected health information (unlike 
the obligations for providing substitute notice to individuals in Sec.  
164.404(d)(2) if there is insufficient or out-of-date contact 
information for 10 or more affected individuals) nor does it obligate 
prominent media outlets who receive notification of a breach from a 
covered entity to print or run information about the breach. We also 
emphasize that posting a press release regarding a breach of unsecured 
protected health information on the home page of the covered entity's 
Web site will not fulfill the obligation to provide notice to the media 
(although covered entities are free to post a press release regarding a 
breach on their Web site). To fulfill the obligation, notification, 
which may be in the form of a press release, must be provided directly 
to prominent media outlets serving the State or jurisdiction where the 
affected individuals reside.
4. Section 164.408--Notification to the Secretary
    Section 13402(e)(3) of the HITECH Act requires covered entities to 
notify the Secretary of breaches of unsecured protected health 
information. The Act requires covered entities to report breaches 
affecting 500 or more individuals to the Secretary immediately. For 
breaches affecting fewer than 500 individuals, covered entities may 
maintain a log of all such breaches occurring during the year and 
annually submit such log to the Secretary.
    To implement the statutory provisions, Sec.  164.408(a) contains 
the general rule that requires a covered entity to notify the Secretary 
following the discovery of a breach of unsecured protected health 
information. With respect to breaches involving 500 or more 
individuals, we interpreted the term ``immediately'' in the statute to 
require notification be sent to the Secretary concurrently with the 
notification sent to the individual under Sec.  164.404 (i.e., without 
unreasonable delay but in no case later than 60 calendar days following 
discovery of a breach). The rule provided that these notifications be 
provided in a manner to be specified on the HHS Web site. Further, as 
required by section 13402(e)(4) of the Act, the interim final rule 
stated that the Secretary would begin to post and maintain on the HHS 
Web site a list of covered entities that submit reports of breaches of 
unsecured protected health information involving more than 500 
individuals.
    Under these provisions, covered entities must notify the Secretary 
of all discovered breaches involving more than 500 individuals, without 
regard to

[[Page 5654]]

whether the breach involved more than 500 residents of a particular 
State or jurisdiction (the threshold for triggering notification to the 
media under Sec.  164.406 of the interim final rule). Thus, where a 
covered entity has discovered a breach involving 600 individuals, 300 
of which reside in Maryland and 300 of which reside in the District of 
Columbia, notification of the breach must be provided to the Secretary 
concurrently with notification to the affected individuals. However, in 
this example, the breach would not trigger the requirement to notify 
the media under Sec.  164.406 because the breach did not involve more 
than 500 residents of any one State or jurisdiction.
    For breaches involving less than 500 individuals, Sec.  164.408(c) 
requires a covered entity to maintain a log or other documentation of 
such breaches and to submit information annually to the Secretary for 
breaches occurring during the preceding calendar year. The interim 
final rule required the submission of this information to the Secretary 
no later than 60 days after the end of each calendar year. As with 
notification of the larger breaches, the interim final rule required 
that information about breaches involving less than 500 individuals be 
provided to the Secretary in the manner specified on the HHS Web site.
    Although covered entities need only provide notification to the 
Secretary of breaches involving less than 500 individuals annually, 
they must still provide notification of such breaches to affected 
individuals without unreasonable delay and not later than 60 days after 
discovery of the breach pursuant to Sec.  164.404. In addition, 
pursuant to Sec.  164.414(a), a covered entity must follow the 
documentation requirements that otherwise apply to the HIPAA Privacy 
Rule under Sec.  164.530 with respect to the requirements of this rule. 
Thus, pursuant to Sec.  164.530(j)(2), covered entities must maintain 
the internal log or other documentation for six years. Further, as with 
other required documentation, a covered entity must make such 
information available to the Secretary upon request for compliance and 
enforcement purposes in accordance with Sec.  160.310.
Overview of Public Comments
    Some commenters expressed concern regarding the timing of providing 
notification to the Secretary of breaches affecting fewer than 500 
individuals. These commenters asked when notification should be 
provided if a covered entity discovers, after the reporting deadline, a 
breach that occurred in the previous year. Several others commented on 
the interim final rule's process for providing the Secretary with 
breach notification. Some commenters asked that this process be revised 
to allow covered entities to maintain a log of all breaches affecting 
fewer than 500 individuals and then submit that log, via attachment 
(such as an Excel spreadsheet), to the Secretary on an annual basis. 
These commenters stated that submitting reports of these smaller 
breaches in this manner would be much less burdensome than submitting 
the reports individually. Other commenters asked that we provide a 
template log for entities to use to document smaller breaches for 
annual submission to the Secretary. Additionally, several commenters 
suggested that there be access or authentication controls for 
submitting breach reports because of concerns of false breach reports 
being submitted to the Secretary without the covered entity's 
knowledge.
Final Rule
    The final rule retains Sec.  164.408(c) with one modification. The 
modification clarifies that covered entities are required to notify the 
Secretary of all breaches of unsecured protected health information 
affecting fewer than 500 individuals not later than 60 days after the 
end of the calendar year in which the breaches were ``discovered,'' not 
in which the breaches ``occurred.'' We recognize that there may be 
situations where, despite having reasonable and appropriate breach 
detection systems in place, a breach may go undetected for some time. 
In these cases, if a breach of unsecured protected health information 
affecting fewer than 500 individuals that occurred in the previous year 
is discovered, the covered entity has until 60 days after the end of 
the calendar year in which the breach was discovered to provide notice 
to the Secretary. We emphasize, however, that this modification does 
not alter a covered entity's obligation to promptly report the breach 
to affected individuals without unreasonable delay but in no cases 
later than 60 calendar days after discovery of the breach.
    In response to the comments suggesting that covered entities be 
permitted to submit a log of all smaller breaches to the Secretary 
instead of submitting each breach individually through the online form, 
we agree that the current process may be burdensome for some entities 
and are considering alternative ways to receive such reports.
    With respect to the commenters who asked that access or 
authentication controls be added to the breach reporting form, we do 
not believe this is necessary at the present time. Since the Department 
began receiving and processing breach reports on September 23, 2009, we 
have not yet received a report that has been falsely submitted by an 
individual or entity not acting on behalf of the covered entity. 
Additionally, we emphasize that following receipt of a breach report 
that affects 500 or more individuals, we contact the covered entity 
identified in the breach report and verify the information in the 
report before we post any information about the breach on the HHS Web 
site. If circumstances change in the future, we will explore options 
for modifying the process.
Response to Other Public Comments
    Comment: One commenter asked that the final rule should not 
interpret the term ``immediately'' in the statute to mean without 
unreasonable delay, but in no case later than 60 days, but rather to 
mean as soon as the breach is discovered. Another commenter asked that 
the final rule expand the timeframe for providing notification to the 
Secretary to no later than 120 days after discovery of a breach.
    Response: We believe that our interpretation of ``immediately'' 
with respect to notification to the Secretary for breaches affecting 
500 or more individuals is reasonable and appropriate and thus, retain 
the provision that requires such notice be provided contemporaneously 
with notice to the individual. Requiring contemporaneous notice allows 
the notice to the Secretary to include all of the information provided 
in the notice to the individual and better ensures that a covered 
entity does not report information to the Secretary that later turns 
out to be incorrect because the entity did not have sufficient time to 
conduct an investigation into the facts surrounding the breach. In 
addition, this interpretation satisfies the statutory requirement that 
notifications of larger breaches be provided to the Secretary 
immediately (as they occur) as compared to the reports of smaller 
breaches the statute allows be reported annually to the Secretary.
    Comment: Some commenters asked for further guidance on submitting 
online breach notifications to the Secretary. Additionally, some 
commenters asked that HHS provide a confirmation to submitters that an 
initial breach report or an addendum to a breach report has been 
successfully submitted.
    Response: Since the publication of the interim final rule, OCR has 
posted

[[Page 5655]]

instructions for filling out and submitting the breach form on its Web 
site: https://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html. We will continue to examine 
the instructions for submitting breach notification to the Secretary 
and will update this information, as necessary, to ensure that covered 
entities are able to navigate and submit the form easily. The 
Department has also made changes to the process to ensure that covered 
entities receive a confirmation following their submission of breach 
notification to the Secretary. Additionally, we note that the breach 
reporting form does include an option for indicating that a submission 
is an addendum to a previous submission. OCR updates the original 
breach report, as appropriate, with any additional or modified 
information submitted in an addendum.
    Comment: With respect to the posting of breaches affecting 500 or 
more individuals on the HHS Web site, some commenters stated that these 
breach submissions must be verified with the covered entity before they 
are posted publicly. Other commenters asked for clarification of what 
information will be posted, while another commenter asked that we post 
only the name of the covered entity involved in the breach. Finally, 
one commenter suggested that we only post these breaches on our Web 
site for a six month period.
    Response: To provide helpful information to the public, OCR 
currently posts the following information regarding breaches affecting 
500 or more individuals: name of the covered entity (and if applicable, 
the business associate) involved; State where the covered entity is 
located; number of individuals affected by the breach; the date of the 
breach; type of breach (e.g., theft, loss, unauthorized access/
disclosure); and location of the breached information (e.g., laptop, 
paper records, desktop computer). Prior to posting this information, 
OCR verifies the information in the breach notification report with the 
covered entity. We do not believe it would serve the public to only 
disclose the name of the covered entity involved in each of the 
breaches, because the additional information enables members of the 
public to understand the nature of the breach and to determine if the 
breach affects them directly. In terms of how long information about 
each of the breaches is to remain posted, we intend to maintain the 
information on our Web site for as long as there is public interest and 
the data can remain posted in a manner that gives the public access 
effectively and efficiently.
5. Section 164.410--Notification by a Business Associate
Interim Final Rule
    Section 13402(b) of the HITECH Act requires a business associate of 
a covered entity that accesses, maintains, retains, modifies, records, 
destroys, or otherwise holds, uses, or discloses unsecured protected 
health information to notify the covered entity when it discovers a 
breach of such information. The Act requires business associates to 
provide such notification to covered entities without unreasonable 
delay and in no case later than 60 days from discovery of the breach. 
Additionally, the Act requires business associates to provide covered 
entities with the identity of each individual whose unsecured protected 
health information has, or is reasonably believed to have been, 
affected by the breach. Section 164.410(a) implements section 13402(b) 
of the Act.
    A business associate is required to notify the covered entity of 
the breach of unsecured protected health information so that the 
covered entity can notify affected individuals. In the interim final 
rule, we clarified that a business associate that maintains the 
protected health information of multiple covered entities need notify 
only the covered entity(s) to which the breached information relates. 
However, in cases in which a breach involves the unsecured protected 
health information of multiple covered entities and it is unclear to 
whom the breached information relates, it may be necessary to notify 
all potentially affected covered entities.
    Section 164.410(a)(2) provides that a breach shall be treated as 
discovered by a business associate as of the first day on which such 
breach is known to the business associate or, by exercising reasonable 
diligence, would have been known to the business associate. As with a 
covered entity, a business associate shall be deemed to have knowledge 
of a breach if the breach is known, or by exercising reasonable 
diligence would have been known, to any person, other than the person 
committing the breach, who is an employee, officer, or other agent of 
the business associate (determined in accordance with the Federal 
common law of agency). Similarly, as with knowledge imputed to covered 
entities, the Federal common law of agency controls in determining who 
is an agent of the business associate.
    Section 164.410(b) requires that a business associate provide 
notice of a breach of unsecured protected health information to a 
covered entity without unreasonable delay and in no case later than 60 
days following the discovery of a breach. With respect to timing, if a 
business associate is acting as an agent of a covered entity, then, 
pursuant to Sec.  164.404(a)(2), the business associate's discovery of 
the breach will be imputed to the covered entity. In such 
circumstances, the covered entity must provide notifications under 
Sec.  164.404(a) based on the time the business associate discovers the 
breach, not from the time the business associate notifies the covered 
entity. In contrast, if the business associate is not an agent of the 
covered entity, then the covered entity is required to provide 
notification based on the time the business associate notifies the 
covered entity of the breach. We encouraged covered entities and 
business associates to address the timing of this notification in their 
business associate contracts.
    Section 164.410(c)(1) requires business associates, to the extent 
possible, to provide covered entities with the identity of each 
individual whose unsecured protected health information has been, or is 
reasonably believed to have been, breached. Depending on the 
circumstances, business associates could provide the covered entity 
with immediate notification of the breach and then follow up with the 
required information in Sec.  164.410(c) when available but without 
unreasonable delay and within 60 days.
    Section 164.410(c)(1) requires business associates to provide this 
information ``to the extent possible,'' recognizing that there may be 
situations in which a business associate may be unaware of the 
identification of the individuals whose unsecured protected health 
information was breached. For example, a business associate that is a 
record storage company that holds hundreds of boxes of paper medical 
records on behalf of a covered entity may be unaware of the names of 
the individuals whose records are stored. Thus, if the business 
associate discovers that several boxes are missing, it may be unable to 
provide the covered entity with a list of the individuals whose 
information has been breached. In such circumstances, it is not our 
intent that the business associate delay notification of the breach to 
the covered entity, when the covered entity may be better able to 
identify the individuals affected.
    Depending on the circumstances surrounding a breach of unsecured 
protected health information, a business

[[Page 5656]]

associate may be in the best position to gather the information the 
covered entity is required by Sec.  164.404(c) to include in the 
notification to the individual about the breach. Therefore, in addition 
to the identification of affected individuals, Sec.  164.410(c)(2) 
requires a business associate to provide the covered entity with any 
other available information that the covered entity is required to 
include in the notification to the individual under Sec.  164.404(c), 
either at the time it provides notice to the covered entity of the 
breach or promptly thereafter as information becomes available. Because 
we allow this information to be provided to a covered entity after the 
initial notification of the breach as it becomes available, a business 
associate should not delay the initial notification to the covered 
entity of the breach in order to collect information needed for the 
notification to the individual. To ensure the covered entity is aware 
of all the available facts surrounding a breach, the Rule also requires 
that a business associate provide this information even if it becomes 
available after notifications have been sent to affected individuals or 
after the 60-day period specified in Sec.  164.410(b) has elapsed.
    We clarified that business associates and covered entities would 
continue to have the flexibility to set forth specific obligations for 
each party, such as who will provide notice to individuals and when the 
notification from the business associate to the covered entity will be 
required, following a breach of unsecured protected health information, 
so long as all required notifications are provided and the other 
requirements of the interim final rule were met. We encouraged the 
parties to consider which entity is in the best position to provide 
notice to the individual, which may depend on circumstances, such as 
the functions the business associate performs on behalf of the covered 
entity and which entity has the relationship with the individual. We 
also encouraged the parties to ensure the individual does not receive 
notifications from both the covered entity and the business associate 
about the same breach, which may be confusing to the individual.
Overview of Public Comments
    Many commenters expressed concern over the interim final rule's 
treatment of a covered entity's knowledge of a breach that occurs at or 
by a business associate. Some commenters stated that a covered entity's 
knowledge of a breach should begin when the business associate notifies 
them of the breach, regardless of whether the business associate is an 
agent of the covered entity or a non-agent independent contractor. If 
knowledge is imputed when the business associate discovers the breach, 
one commenter argued that a covered entity would not have sufficient 
time to provide the required notifications to individuals in a timely 
manner. Other commenters argued that all business associates should be 
treated as agents of the covered entity, such that the business 
associate's knowledge of a breach is imputed to the covered entity. 
Finally, some commenters asked for more guidance on when a business 
associate is acting as an agent versus as an independent contractor and 
how to determine this status under the Federal common law of agency.
Final Rule
    The final rule modifies Sec.  164.410 only to make the following 
technical and non-substantive correction: in paragraph (a)(2) of Sec.  
164.410, the first sentence is revised to refer to paragraph (a)(1) 
rather than paragraph (1).
    With respect to the commenters who expressed concern that a covered 
entity's knowledge of a breach depends not only on a business 
associate's discovery of the breach but also on the covered entity's 
relationship with the business associate, we acknowledge that there are 
many different types of relationships that can develop between covered 
entities and business associates based upon the function the business 
associate performs on behalf of the covered entity. In some situations, 
a business associate will be acting as an agent of the covered entity, 
and as such, it makes sense to treat the business associate's knowledge 
of a breach analogous to the knowledge of one of the covered entity's 
own employees. However, in other situations, because a business 
associate may not be an agent of the covered entity, it would not be 
reasonable to impute the business associate's knowledge directly to the 
covered entity, and therefore, the covered entity's knowledge depends 
on notification from the business associate.
    Furthermore, the use of the Federal common law of agency to 
determine the business associate's status with respect to the covered 
entity is consistent with the approach taken in the Enforcement Rule 
for determining agency liability under the HIPAA Rules. Thus, we 
believe the use of the standard is appropriate here and should be 
familiar to most entities. We provide additional guidance regarding who 
is an agent above in our response to comments on the HITECH 
modifications to the HIPAA Enforcement Rule. Because of the agency 
implications on the timing of breach notifications, we encourage 
covered entities to discuss and define in their business associate 
agreements the requirements regarding how, when, and to whom a business 
associate should notify the covered entity of a potential breach.
Response to Other Public Comments
    Comment: Several commenters asked OCR to provide sample business 
associate agreement language to outline the covered entity's and 
business associate's obligations following a breach of unsecured 
protected health information.
    Response: A covered entity's and business associate's obligations 
following a breach of unsecured protected health information will vary 
depending on the relationship. For example, whether a business 
associate will send the breach notices to affected individuals and/or 
to notify the Secretary (and media, if applicable) on behalf of a 
covered entity is a business decision of the parties and how quickly a 
business associate is to notify a covered entity of a breach within the 
required timeframe may be based on a number of factors, such as whether 
the business associate is an agent of the covered entity. However, to 
help covered entities and business associates implement the new 
business associate agreement requirements generally under the HITECH 
modifications to the HIPAA Rules, the Department has published sample 
business associate agreement provisions on its web site.
    Comment: Some commenters asked what happens if a covered entity and 
a business associate disagree about whether an impermissible use or 
disclosure is a breach that requires notification. These commenters 
asked if both parties must be in agreement before breach notification 
obligations are triggered.
    Response: The covered entity is ultimately responsible for 
providing individuals with notification of breaches and, as indicated 
above, the clock for notifying individuals of breaches begins upon 
knowledge of the incident, even if it is not yet clear whether the 
incident qualifies as a breach for purposes of this rule. Further, this 
final rule clarifies that the default presumption is that an 
impermissible use or disclosure is a breach unless it can be determined 
through a risk assessment that there is a low probability that the data 
may be compromised. This standard should allow for more uniform 
application of the risk assessment approach across covered entities and 
business associates.
    Comment: One commenter stated that the requirement that a business

[[Page 5657]]

associate notify a covered entity of a breach of unsecured protected 
health information is duplicative of a business associate's other 
obligations to notify the covered entity of privacy violations and 
security incidents.
    Response: Business associates are required to report to covered 
entities any security incidents or uses or disclosures of protected 
health information not provided for by their business associate 
agreements, which include but are broader than breaches of unsecured 
protected health information under this Rule. For example, a security 
incident need not lead to unauthorized access to protected health 
information (and thus, is not a breach) but is still an event that 
should be reported to the covered entity. Further, when a security 
incident occurs that does rise to the level of a breach, the breach 
notice to the covered entity suffices to meet the requirement to report 
the security incident to the covered entity (however, a covered entity 
may require through the business associate agreement that additional 
information be reported). Therefore, these requirements are not 
duplicative.
6. Law Enforcement Delay
Interim Final Rule
    Section 13402(g) of the HITECH Act provides that if a law 
enforcement official determines that a notification, notice, or posting 
required under this section would impede a criminal investigation or 
cause damage to national security, such notification, notice, or 
posting shall be delayed in the same manner as provided under 45 CFR 
164.528(a)(2) of the Privacy Rule in the case of a disclosure covered 
under such section. Section 164.412 implements section 13402(g) of the 
Act, requiring a covered entity or business associate to temporarily 
delay notification to the individual, the media (if applicable), to a 
covered entity by a business associate, and to the Secretary if 
instructed to do so by a law enforcement official.
    Section 164.412(a), based on the requirements of 45 CFR 
164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of 
notification in situations in which a law enforcement official provides 
a statement in writing that the delay is necessary because notification 
would impede a criminal investigation or cause damage to national 
security, and specifies the time for which a delay is required. In such 
instances, the covered entity is required to delay the notification, 
notice, or posting for the time period specified by the official.
    Similarly, Sec.  164.412(b), based on 45 CFR 164.528(a)(2)(ii) of 
the Privacy Rule, requires a covered entity or business associate to 
temporarily delay a notification, notice, or posting if a law 
enforcement official states orally that a notification would impede a 
criminal investigation or cause damage to national security. However, 
in this case, the covered entity or business associate must document 
the statement and the identity of the official and delay notification 
for no longer than 30 days, unless a written statement meeting the 
above requirements is provided during that time. We interpreted these 
provisions as tolling the time within which notification is required 
under Sec. Sec.  164.404, 164.406, 164.408, and 164.410, as applicable.
Final Rule
    The Department did not receive public comments on this provision of 
the interim final rule. We retain Sec.  164.412 in this final rule 
without modification.
7. Section 164.414--Administrative Requirements and Burden of Proof
Interim Final Rule
    Section 164.414(a) requires covered entities to comply with the 
administrative requirements of Sec.  164.530(b), (d), (e), (g), (h), 
(i), and (j) of the Privacy Rule with respect to the breach 
notification provisions of this subpart. These Privacy Rule provisions, 
for example, require covered entities and business associates to 
develop and document policies and procedures, train workforce members 
on and have sanctions for failure to comply with these policies and 
procedures, permit individuals to file complaints regarding these 
policies and procedures or a failure to comply with them, and require 
covered entities to refrain from intimidating or retaliatory acts. 
Thus, a covered entity is required to consider and incorporate the 
breach notification requirements with respect to its administrative 
compliance and other obligations.
    Section 164.414(b) provides that, following an impermissible use or 
disclosure under the Privacy Rule, covered entities and business 
associates have the burden of demonstrating that all notifications were 
made as required by this subpart. Additionally, as part of 
demonstrating that all required notifications were made, a covered 
entity or business associate, as applicable, also must be able to 
demonstrate that an impermissible use or disclosure did not constitute 
a breach, as such term is defined at Sec.  164.402, in cases where the 
covered entity or business associate determined that notifications were 
not required. To conform to these provisions, Sec.  160.534 of the 
HIPAA Enforcement Rule makes clear that, during any administrative 
hearing, the covered entity has the burden of going forward and the 
burden of persuasion with respect to these issues.
    Thus, when a covered entity or business associate knows of an 
impermissible use or disclosure of protected health information, it 
should maintain documentation that all required notifications were 
made, or, alternatively, to demonstrate that notification was not 
required: (1) Its risk assessment (discussed above in Sec.  164.402) 
demonstrating a low probability that the protected health information 
has been compromised by the impermissible use or disclosure or (2) the 
application of any other exceptions to the definition of ``breach.''
Overview of Public Comments
    One commenter stated that it is critical that all employees are 
trained and knowledgeable about what constitutes a breach, so that the 
covered entity or business associate can provide the required 
notifications within the required timeframe. The commenter also 
maintained that OCR should emphasize the necessity of this training.
    With respect to the burden of proof placed upon covered entities 
and business associates, one commenter agreed that covered entities and 
business associates should have the burden to demonstrate that all 
notifications were provided following a breach of unsecured protected 
health information. However, the commenter asked that we include a 
presumption that an impermissible use or disclosure of protected health 
information did not constitute a breach if a covered entity or business 
associate has implemented a breach notification policy, completed a 
risk assessment, and documented that it followed its policy in reaching 
a conclusion that breach notification was not required.
Final Rule
    We retain Sec.  164.414 in this final rule without modification. We 
emphasize the importance of ensuring that all workforce members are 
appropriately trained and knowledgeable about what constitutes a breach 
and on the policies and procedures for reporting, analyzing, and 
documenting a possible breach of unsecured protected health 
information. We note that because this final rule modifies the 
definition of breach as stated in the interim final rule, covered

[[Page 5658]]

entities will need to update their policies and procedures and retrain 
workforce members as necessary to reflect such modifications.
    With respect to this burden of proof, section 13402 of the statute 
places the burden of proof on a covered entity or business associate, 
if applicable, to demonstrate that all notifications were made as 
required. Therefore, section 164.530(j)(1)(iv) requires covered 
entities to maintain documentation to meet this burden of proof. This 
includes documentation that all required notifications have been 
provided or that no breach occurred and notification was not necessary. 
If a covered entity's determination with respect to whether a breach 
occurred is called into question, the covered entity should produce the 
documentation that demonstrates the reasonableness of its conclusions 
based on the findings of its risk assessment.
8. Technical Corrections
    The interim final rule made several technical changes to align the 
HIPAA Rules in light of the new breach notification requirements of 
subpart D. See 74 FR 42755-56. We did not receive comments on these 
changes. We retain the technical corrections made in the interim final 
rule and also make an additional technical correction by adding ``and'' 
to the end of Sec.  160.534(b)(1)(iii) to make clear the relationship 
between Sec.  160.534(b)(1)(iii) and the new Sec.  160.534(b)(1)(iv).
9. Preemption
Interim Final Rule
    The interim final rule clarified that contrary State law will be 
preempted by these breach notification regulations. Section 1178 of the 
Social Security Act, 42 U.S.C. 1320d-7, which was added by HIPAA, 
provides that HIPAA administrative simplification provisions generally 
preempt conflicting State law. Section 160.203 states that a standard, 
requirement, or implementation specification that is adopted as 
regulation at 45 CFR parts 160, 162, or 164 and that is ``contrary to a 
provision of State law preempts the provision of State law.'' Thus, 
whether a State law is contrary to these breach notification 
regulations is to be determined based on the definition of ``contrary'' 
at Sec.  160.202, which states that a State law is contrary if ``[a] 
covered entity would find it impossible to comply with both the State 
and Federal requirements'' or if the State law ``stands as an obstacle 
to the accomplishment and execution of the full purposes and 
objectives'' of the breach notification provisions in the Act. Covered 
entities must analyze relevant State laws with respect to the breach 
requirements to understand the interaction and apply this preemption 
standard appropriately.
    In the interim final rule, we stated our belief that, in general, 
covered entities can comply with both the applicable State laws and 
this regulation and that in most cases, a single notification can 
satisfy the notification requirements under State laws and this 
regulation. For example, if a State breach notification law requires 
notification be sent to the individual in a shorter time frame than is 
required by this regulation, a covered entity that sends the notice 
within the time frame required by the State law will also be in 
compliance with this regulation's timeliness requirements.
    Additionally, since the Act and rule are flexible in terms of how 
the elements are to be described, and do not prohibit additional 
elements from being included in the notice, in general, Federal 
requirements contain flexibility for covered entities to develop a 
notice that satisfies both laws.
Overview of Public Comments
    While some commenters were pleased that the breach notification 
rule preempts conflicting State law, other commenters expressed 
confusion or concern with this preemption standard. Many commenters 
stated that despite the fact that in most cases a covered entity may 
only need to provide one notification to satisfy both State and Federal 
law, there will be some cases in which a covered entity will have to 
provide multiple notices to the same individual to ensure compliance 
with all relevant laws. This will result in confusion for the 
individual and increased costs for the covered entity. Some of these 
commenters suggested that this Federal breach notification law should 
preempt all State breach notification laws, or alternatively, that HHS 
should work with Congress and the States to harmonize the breach 
notification laws such that only one notice is required following a 
breach.
Final Rule
    We maintain the preemption standard discussed in the interim final 
rule, which is based on section 1128 of the Social Security Act and 
applies to the HITECH Act's breach notification provisions by virtue of 
section 13421 of the HITECH Act. We continue to believe that, 
generally, covered entities are able to comply with both State and 
Federal requirements for providing breach notification with one breach 
notice based on the flexibility provided to entities in this Rule. 
However, even in the exceptional case, we do not have authority to 
preempt a State breach notification law that is not contrary to this 
Rule.
10. Responses to Other Public Comments
    Comment: One commenter asked whether penalties are automatically 
assessed following a violation of the breach notification rule or if 
this is done at OCR's discretion and whether civil money penalties can 
be assessed for the underlying cause of a breach of unsecured protected 
health information where a covered entity has provided all required 
breach notifications.
    Response: OCR's enforcement of the breach notification rule will be 
carried out pursuant to the Enforcement Rule. Pursuant to the 
Enforcement Rule, OCR may impose a civil money penalty for a failure to 
comply with the breach notification rule. OCR also has the discretion 
to work with the covered entity to achieve voluntary compliance through 
informal resolution, except in cases in which it has found a violation 
due to willful neglect. Because every breach of unsecured protected 
health information must have an underlying impermissible use or 
disclosure under the Privacy Rule, OCR also has the authority to impose 
a civil money penalty for the underlying Privacy Rule violation, even 
in cases where all required breach notifications were provided.

VI. Modifications to the HIPAA Privacy Rule Under GINA

A. Background

    The Genetic Information Nondiscrimination Act of 2008 (``GINA''), 
Public Law 110-233, 122 Stat. 881, prohibits discrimination based on an 
individual's genetic information in both the health coverage and 
employment contexts. With respect to health coverage, Title I of GINA 
generally prohibits discrimination in premiums or contributions for 
group coverage based on genetic information, proscribes the use of 
genetic information as a basis for determining eligibility or setting 
premiums in the individual and Medicare supplemental (Medigap) 
insurance markets, and limits the ability of group health plans, health 
insurance issuers, and Medigap issuers to collect genetic information 
or to request or require that individuals undergo genetic testing. 
Title II of GINA generally prohibits use of genetic information in the 
employment context, restricts employers and other entities covered by 
Title II from requesting, requiring, or purchasing genetic

[[Page 5659]]

information, and strictly limits such entities from disclosing genetic 
information. The Departments of Labor, Treasury, and Health and Human 
Services (HHS) are responsible for administering and enforcing the GINA 
Title I nondiscrimination provisions, and the Equal Employment 
Opportunity Commission (EEOC) is responsible for administering and 
enforcing the GINA Title II nondiscrimination provisions.\13\
---------------------------------------------------------------------------

    \13\ The Departments of Labor (Employee Benefits Security 
Administration), Treasury (Internal Revenue Service), and HHS 
(Centers for Medicare & Medicaid Services (CMS)) have issued 
regulations in a separate rulemaking (at 74 FR 51664) to implement 
sections 101-103 of GINA, which amended: section 702 of the Employee 
Retirement Income Security Act of 1974 (29 U.S.C. 1182); section 
2702 of the Public Health Service Act (42 U.S.C. 300gg-1) 
(renumbered as section 2705 by the Affordable Care Act); and section 
9802 of the Internal Revenue Code of 1986. Section 104 of GINA 
applies to Medigap issuers, which are subject to the provisions of 
section 1882 of the Social Security Act that are implemented by CMS, 
and which incorporate by reference certain provisions in a model 
regulation of the National Association of Insurance Commissioners 
(NAIC). The NAIC amended its model regulation on September 24, 2008, 
to conform to section 104 of GINA, and the amended regulation was 
published by CMS in the Federal Register on April 24, 2009, at 74 FR 
18808. With respect to Title II of GINA, the EEOC issued final 
regulations on November 9, 2010, at 75 FR 68912.
---------------------------------------------------------------------------

    In addition to these nondiscrimination provisions, section 105 of 
Title I of GINA contains new privacy protections for genetic 
information, which require the Secretary of HHS to revise the Privacy 
Rule to clarify that genetic information is health information and to 
prohibit group health plans, health insurance issuers (including HMOs), 
and issuers of Medicare supplemental policies from using or disclosing 
genetic information for underwriting purposes.\14\
---------------------------------------------------------------------------

    \14\ Section 105 of GINA, entitled ``Privacy and 
Confidentiality,'' amends Part C of Title XI of the Social Security 
Act by adding section 1180 to address the application of the HIPAA 
Privacy Rule to genetic information.
---------------------------------------------------------------------------

B. Overview of the Proposed Rule

    On October 7, 2009, the Department published a notice of proposed 
rulemaking (NPRM or ``proposed rule'') to strengthen the privacy 
protections for genetic information under the HIPAA Privacy Rule by 
implementing the protections for genetic information required by GINA 
\15\ and making related changes to the Rule. In particular, in 
accordance with section 105 of GINA and the Department's general 
authority under sections 262 and 264 of HIPAA, the Department proposed 
to: (1) Explicitly provide that genetic information is health 
information for purposes of the Privacy Rule; (2) prohibit all health 
plans covered by the HIPAA Privacy Rule from using or disclosing 
protected health information that is genetic information for 
underwriting purposes; (3) revise the provisions relating to the Notice 
of Privacy Practices for health plans that perform underwriting; (4) 
make a number of conforming changes to definitions and other provisions 
of the Rule; and (5) make technical corrections to update the 
definition of ``health plan.''
---------------------------------------------------------------------------

    \15\ Any reference in this preamble to GINA is a reference to 
Title I of GINA, except as otherwise indicated.
---------------------------------------------------------------------------

    The 60-day public comment period for the proposed rule closed on 
December 7, 2009, and the Department received approximately twenty-five 
comments in response to its proposal.\16\ After considering the public 
comments, the Department is issuing this final rule to strengthen the 
privacy protections for genetic information in accordance with GINA and 
the Department's general authority under sections 262 and 264 of HIPAA. 
In developing this rule, the Department consulted with the Departments 
of Labor and Treasury, as required by section 105(b)(1) of GINA, to 
ensure, to the extent practicable, consistency across the regulations. 
In addition, the Department coordinated with the EEOC in the 
development of these regulations.
---------------------------------------------------------------------------

    \16\ The public comments are available at https://www.regulations.gov.
---------------------------------------------------------------------------

    The provisions of the proposed rule and the public comments 
received that were within the scope of the proposed rule are described 
in more detail below in the section-by-section description of the final 
rule.

C. Section-by-Section Description of Final Rule and Response to Public 
Comments

1. Scope: Extension of Required Protections to All Health Plans Subject 
to the HIPAA Privacy Rule
Proposed Rule
    Section 105 of GINA requires HHS to modify the Privacy Rule to 
prohibit ``a covered entity that is a group health plan, health 
insurance issuer that issues health insurance coverage, or issuer of a 
medicare [sic] supplemental policy'' from using or disclosing genetic 
information for underwriting purposes. Section 105 of GINA provides 
that the terms ``group health plan'' and ``health insurance coverage'' 
have the meanings given such terms under section 2791 of the Public 
Health Service Act (PHSA) (42 U.S.C. 300gg-91), and that the term 
``medicare [sic] supplemental policy'' has the meaning given such term 
in section 1882(g) of the Social Security Act. In addition, the term 
``health insurance issuer,'' as defined at 42 U.S.C. 300gg-91, includes 
a health maintenance organization (HMO). These four types of entities 
(i.e., group health plans, health insurance issuers, and health 
maintenance organizations, as defined in the PHSA, as well as issuers 
of Medicare supplemental policies), correspond to the types of covered 
entities listed at subparagraphs (i) through (iii) and (vi) of 
paragraph (1) of the definition of ``health plan'' at Sec.  160.103 in 
the HIPAA Privacy Rule, issued under HIPAA's Administrative 
Simplification provisions. These also are the entities to which HIPAA's 
nondiscrimination provisions apply and to which the nondiscrimination 
provisions of GINA Title I were directed.
    However, in addition to these four types of entities, the HIPAA 
Privacy Rule also includes a number of other entities within the 
definition of ``health plan'': (1) Long-term care policies (excluding 
nursing home fixed-indemnity policies); (2) employee welfare benefit 
plans or other arrangements that are established or maintained for the 
purpose of offering or providing health benefits to the employees of 
two or more employers (to the extent that they are not group health 
plans or health insurance issuers); (3) high risk pools that are 
mechanisms established under State law to provide health insurance 
coverage or comparable coverage to eligible individuals; (4) certain 
public benefit programs, such as Medicare Part A and B, Medicaid, the 
military and veterans' health care programs, the Indian Health Service 
program, and others; as well as (5) any other individual or group plan, 
or combination of individual or group plans that provides or pays for 
the cost of medical care (as the term ``medical care'' is defined in 
section 2791(a)(2) of the PHSA, 42 U.S.C. 300gg-91(a)(2)). This last 
category includes, for example, certain ``excepted benefits'' plans 
described at 42 U.S.C. 300gg-91(c)(2), such as limited scope dental or 
vision benefits plans. See the definition of ``health plan'' at Sec.  
160.103.
    In the NPRM, the Department, using both its authority under GINA as 
well as its broad authority under HIPAA, proposed to apply the 
prohibition on using and disclosing protected health information that 
is genetic information for underwriting to all health plans that are 
subject to the Privacy Rule, rather than solely to the plans GINA 
explicitly requires be subject to the prohibition. As explained in the 
proposed rule, the HIPAA Administrative Simplification provisions 
provide the Secretary with

[[Page 5660]]

broad authority to craft privacy standards that uniformly apply to all 
health plans, regardless of whether such health plans are governed by 
other portions of the HIPAA statute. In addition, the Department 
indicated in the proposed rule that nothing in GINA explicitly or 
implicitly curtails this broad authority of the Secretary to promulgate 
privacy standards for any and all health plans that are governed by the 
HIPAA Administrative Simplification provisions.
    Under the Privacy Rule, and consistent with HIPAA, an individual's 
privacy interests and rights with respect to the use and disclosure of 
protected health information are protected uniformly without regard to 
the type of health plan that holds the information. Thus, under the 
Privacy Rule, individuals can expect and benefit from privacy 
protections that do not diminish based on the type of health plan from 
which they obtain health coverage. In developing the proposed rule, the 
Department believed that individuals' interests in uniform protection 
under the Privacy Rule against the use or disclosure of their genetic 
information for underwriting purposes would outweigh any adverse impact 
on health plans that are not covered by GINA, particularly since it was 
not expected that all of the health plans subject to the Privacy Rule 
use or disclose protected health information that is genetic 
information for underwriting (or even perform underwriting generally, 
in the case of some of the public benefit plans). For these reasons, 
the Department proposed to apply the prohibition on using or disclosing 
protected health information that is genetic information for 
underwriting purposes to all health plans that are HIPAA covered 
entities.
Overview of Public Comments
    The Department received comments both in support of and against the 
proposed application of the prohibition on using or disclosing genetic 
information for underwriting purposes to all health plans covered by 
the Privacy Rule. Several commenters agreed that the extension of the 
proposed requirements to all health plans is an appropriate exercise of 
the Secretary's discretion under HIPAA and is necessary to protect the 
privacy interests of all individuals without regard to the type of 
health plan holding individuals' health information, and stated that 
such an extension would further encourage individuals to take advantage 
of genetic services. In addition, one commenter in support of the 
proposal indicated that sixteen States also regulate the use of genetic 
information in disability insurance, and ten States regulate its use in 
long-term care insurance, and it is expected that these numbers will 
continue to increase. The commenter stated that as States move forward 
in this area it was appropriate for the Federal government to do so as 
well. However, this and one other commenter, while generally in support 
of extending the prohibition on using or disclosing genetic information 
for underwriting to all health plans, also recommended that the 
Department monitor the impact of such a prohibition on long-term care 
insurers.
    A few commenters did not support the Department's proposal and 
argued that the prohibition against using or disclosing genetic 
information for underwriting purposes in the Privacy Rule should apply 
only to those plans to which GINA expressly applies. Commenters argued 
that applying the prohibition beyond the health plans identified in 
GINA was contrary to GINA and its intent.
    Certain commenters expressed particular disagreement and concern 
with applying the prohibition on the use of genetic information for 
underwriting to long-term care insurers. One commenter argued that 
there was clear Congressional intent in the legislative history of GINA 
to exempt ``excepted benefits,'' particularly long-term care insurance, 
from any prohibitions under GINA and thus, the Privacy Rule should not 
apply the prohibition on underwriting with genetic information to 
issuers of long term care policies. The commenter also argued that the 
GINA prohibition should not apply to long-term care insurers because 
long-term care plans have different characteristics from other health 
plans and applying the GINA prohibition to long-term care insurers 
would jeopardize the ability of long-term care insurers to adequately 
underwrite and thus, the viability of the long-term care insurance 
market. The commenter explained that this would be due to the fact that 
when underwriting, long term care insurers look to determine an 
individual's probability of needing long-term care in the future and 
diagnosis of a particular condition is not the only way this may be 
determined and in some cases may not even be relevant to such a 
determination. The Department also heard similar concerns about the 
potential negative impact of an underwriting prohibition on the 
economic viability of the long-term market, from certain members of 
Congress who wrote to the Secretary on this issue, as well as from 
certain outside parties during fact finding meetings held by the 
Department.
Final Rule
    The final rule adopts the approach of the proposed rule to apply 
the prohibition on using or disclosing protected health information 
that is genetic information for underwriting purposes to all health 
plans that are covered entities under the HIPAA Privacy Rule, including 
those to which GINA does not expressly apply, except with regard to 
issuers of long term care policies. We continue to disagree with the 
commenters that stated such an extension would conflict with GINA and 
is outside the scope of our authority. As explained more fully in the 
proposed rule, the Department has broad authority under HIPAA to 
regulate a health plan's uses and disclosures of protected health 
information, including genetic information, to protect an individual's 
privacy interests. See 74 FR 51698, 51699-51700. It does not follow 
that by exempting ``excepted benefits'' from the prohibitions under 
GINA that Congress intended to restrict the Department's broad 
authority under HIPAA. Further, there is no conflict with GINA in 
extending the same privacy protections outlined in GINA to those health 
plans that are not covered by GINA but are otherwise covered by the 
HIPAA Privacy Rule. GINA and section 264 of HIPAA are not 
irreconcilably inconsistent but rather operate concurrently without 
conflict. Lastly, GINA did not override HIPAA, and did not displace the 
Department's authority to prohibit uses and disclosures of genetic 
information that GINA does not otherwise prohibit. Therefore, nothing 
in GINA explicitly or implicitly curtails the broad authority of the 
Secretary to promulgate privacy standards for any and all health plans 
that are governed by the HIPAA Administrative Simplification 
provisions.
    We also continue to believe that individuals have a strong privacy 
interest in not having their genetic information used in an adverse 
manner for underwriting purposes and to believe that this privacy 
interest outweighs any adverse impact on most health plans covered by 
the Privacy Rule. With respect to most health plans not subject to 
GINA, the public comment did not indicate that a prohibition on using 
genetic information for underwriting would have significant adverse 
impacts on the viability of these plans. Nor did the public comment 
generally provide information showing that these health plans actually 
use or disclose protected health information that is genetic 
information for underwriting, or plan to

[[Page 5661]]

do so in the future (or even perform underwriting generally, in the 
case of some of the public benefit plans).
    However, as indicated above, the Department did hear from a number 
of sources about the potential adverse impact a prohibition on using 
genetic information for underwriting would have on the ability of a 
long-term care insurer to effectively underwrite and thus, on the 
viability of the long-term care insurance market generally. The 
Department recognizes the importance of long-term care insurance 
coverage and the need to ensure its continued availability. The 
Department also acknowledges that, at this time, it does not have the 
information necessary to more precisely and carefully measure the 
extent of such an impact on the long-term market in order to 
appropriately balance an individual's privacy interests with such an 
impact. Thus, this final rule excludes long-term care plans from the 
underwriting prohibition.
    While we exempt long-term care plans from the underwriting 
prohibition in this final rule, we continue to believe an individual 
has a strong privacy interest in the way his or her genetic information 
is used for the underwriting of long-term care insurance. At the 
current time, however, we do not have sufficient information to 
determine the proper balance between the individual's privacy interests 
and the industry's concerns about the cost effects of excluding genetic 
information. For that reason, we are looking into ways to obtain 
further information on this issue, such as through a study by the 
National Association of Insurance Commissioners (NAIC) on the tension 
between the use of genetic information for underwriting and the 
associated privacy concerns in the context of their model long-term 
care rules. Based on the information the Department may obtain, the 
Department will reassess how best to move forward in this area in the 
future.
    Long-term care plans, while not subject to the underwriting 
prohibition, continue to be bound by the Privacy Rule, as are all other 
covered health plans, to protect genetic information from improper uses 
and disclosures, and to only use or disclose genetic information as 
required or expressly permitted by the Rule, or as otherwise authorized 
by the individual who is the subject of the genetic information.
2. Section 160.101--Statutory Basis and Purpose
    We have revised Sec.  160.101, which describes the statutory basis 
of the HIPAA Rules, to include a reference to section 1180 of the 
Social Security Act, as added by section 105 of GINA (Pub. L. 110-233).
3. Section 160.103--Definitions
    The final rule modifies Sec.  160.103 of the Privacy Rule to: (1) 
Revise the definition of ``health information'' to make clear that the 
term includes ``genetic information;'' (2) add definitions for the 
GINA-related terms of ``family member,'' ``genetic information,'' 
``genetic services,'' ``genetic test,'' and ``manifestation or 
manifested;'' and (3) make technical corrections to the definition of 
``health plan.'' With respect to the GINA-related terms, the final rule 
adopts definitions that are generally consistent with the definitions 
of such terms promulgated in the implementing regulations for sections 
101-103 of GINA. This will facilitate compliance for those health plans 
subject to both the privacy as well as the nondiscrimination provisions 
of GINA.
a. Definition of ``Health information''
Proposed Rule
    Prior to enactment of GINA, the Department issued guidance that 
genetic information is health information protected by the Privacy Rule 
to the extent that such information is individually identifiable and 
held by a covered entity (subject to the general exclusions from the 
definition of ``protected health information'').\17\ Section 105 of 
GINA requires the Secretary to revise the Privacy Rule to make clear 
that genetic information is health information under the Rule. Thus, 
the Department proposed to modify the definition of ``health 
information'' at Sec.  160.103 to explicitly provide that such term 
includes genetic information.
---------------------------------------------------------------------------

    \17\ See, e.g., Frequently Asked Question number 354, available 
at https://www.hhs.gov/ocr/privacy/hipaa/faq/protected_health_information/354.html, which states: Question: Does the HIPAA Privacy 
Rule protect genetic information? Answer: Yes, genetic information 
is health information protected by the Privacy Rule. Like other 
health information, to be protected it must meet the definition of 
protected health information: it must be individually identifiable 
and maintained by a covered health care provider, health plan, or 
health care clearinghouse. See also 45 CFR 160.103.
---------------------------------------------------------------------------

Overview of Public Comments
    The Department received a few comments expressing specific support 
for and one comment against the proposed inclusion of the term 
``genetic information'' in the definition of ``health information.'' 
The commenters supporting the revision to the definition of ``health 
information'' indicated that such an inclusion was necessary to clarify 
that genetic information is health information. The commenter against 
the proposed inclusion to the definition argued that although GINA 
directs the Department to treat genetic information as health 
information, the language of GINA does not require a change to the 
definition of ``health information,'' and this change would create 
costs for health plans, which would have to update all their policies 
and procedures to reflect the change.
Final Rule
    The final rule adopts the proposed modification to the definition 
of ``health information'' at Sec.  160.103. This modification to the 
definition is a necessary clarification to the Privacy Rule based on 
the statutory language. Given that revising the definition of ``health 
information'' to include genetic information does not substantively 
change the scope of the Privacy Rule, it is unclear why such a change 
alone would require revisions to a health plan's policies and 
procedures. Health plans that perform underwriting will otherwise need 
to revise their policies and procedures as necessary to comply with 
this final rule, as well as the modifications to the HIPAA Rules 
required by the Health Information Technology for Economic and Clinical 
Health (HITECH) Act. Thus, to the extent the concern about this 
modification stems from the fact that a health plan's policies and 
procedures quote the prior regulatory definition of ``health 
information,'' the health plan can revise the definition at the time it 
is otherwise updating its policies and procedures to comply with these 
rules.
b. Definition of ``Genetic Information''
Proposed Rule
    The term ``genetic information'' is defined in GINA and establishes 
what information is protected by the statute. Section 105 of GINA 
provides that the term ``genetic information'' in section 105 shall 
have the same meaning given the term in section 2791 of the PHSA (42 
U.S.C. 300gg-91), as amended by section 102 of GINA. Section 102(a)(4) 
of GINA defines ``genetic information'' to mean, with respect to any 
individual, information about: (1) Such individual's genetic tests; (2) 
the genetic tests of family members of such individual; and (3) the 
manifestation of a disease or disorder in family members of such 
individual (i.e., family medical history). GINA also provides that the 
term ``genetic information'' includes, with respect to any individual, 
any request for, or receipt of, genetic services, or participation in 
clinical research which includes genetic services, by such

[[Page 5662]]

individual or family member of such individual. GINA expressly provides 
that the term ``genetic information'' shall not include information 
about the sex or age of any individual. This basic definition of 
``genetic information'' in section 102(a)(4) of GINA (and that is to 
apply for purposes of section 105) is also expanded by section 
102(a)(3), which provides that any reference to genetic information 
concerning an individual or family member in the PHSA shall include: 
with respect to an individual or family member of an individual who is 
a pregnant woman, the genetic information of any fetus carried by such 
pregnant woman; and with respect to an individual or family member 
utilizing an assisted reproductive technology, the genetic information 
of any embryo legally held by the individual or family member. The 
Department proposed to include this statutory definition of ``genetic 
information'' in Sec.  160.103.
Overview of Public Comments
    Most commenters did not address the proposed definition of 
``genetic information'' in their comments on the proposed rule. 
However, one commenter stated that it was unclear what information may 
fall within the scope of the term ``genetic information'' and whether 
such term may be construed to include traditional medical information 
or medical tests used in underwriting today.
Final Rule
    The final rule adopts without modification the definition of 
``genetic information'' proposed in the NPRM. This definition is 
consistent with the definition found in the implementing regulations 
for sections 101-103 of GINA and with which compliance is already 
required by most health plans. The term ``genetic information'' 
includes information about the genetic tests of the individual or of 
the individual's family members and about diseases or disorders 
manifested in an individual's family members (i.e., family health 
history). Thus, information about manifested diseases, disorders, or 
conditions of the individual or medical tests that do not meet the 
rule's definition of ``genetic test,'' such as HIV tests, complete 
blood counts, cholesterol or liver function tests, or tests to detect 
for the presence of alcohol or drugs, are not genetic information, and 
such information may be used or disclosed for underwriting purposes. 
Conversely, family health histories and information about genetic 
tests, such as tests to determine whether an individual or family 
member has a gene variant associated with breast cancer, are genetic 
information, and such information may not be used or disclosed for 
underwriting purposes. The definitions of ``manifestation or 
manifested'' and ``genetic test'' are discussed more fully below.
c. Definition of ``Genetic Test''
Proposed Rule
    As explained above, GINA provides that the term ``genetic 
information'' includes information about an individual's genetic tests 
or the genetic tests of family members of the individual. Section 105 
of GINA provides that the term ``genetic test'' shall have the same 
meaning as the term has in section 2791 of the PHSA (42 U.S.C. 300gg-
91), as amended by section 102 of GINA. Section 102(a)(4) of GINA 
amends section 2791(d) of the PHSA to define ``genetic test'' to mean 
``an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, 
that detects genotypes, mutations, or chromosomal changes.'' GINA 
further clarifies that the term ``genetic test'' does not include an 
analysis of proteins or metabolites that does not detect genotypes, 
mutations, or chromosomal changes, nor does it include an analysis of 
proteins or metabolites that is directly related to a manifested 
disease, disorder, or pathological condition that could reasonably be 
detected by a health care professional with appropriate training and 
expertise in the field of medicine involved.
    Consistent with the statutory definition, the Department proposed 
to define ``genetic test'' at Sec.  160.103 as an analysis of human 
DNA, RNA, chromosomes, proteins, or metabolites, if the analysis 
detects genotypes, mutations, or chromosomal changes, and to provide in 
the definition that ``genetic test'' does not include an analysis of 
proteins or metabolites that is directly related to a manifested 
disease, disorder, or pathological condition. While the statute refers 
to a ``manifested'' disease as one that could reasonably be detected by 
a health care professional with appropriate training and expertise in 
the field of medicine involved, the statute does not define 
``manifested.'' Consequently, for clarity, the Department proposed a 
definition of ``manifested,'' as described below.
Overview of Public Comments
    The Department received one comment requesting that the Department 
include examples within the regulatory text of the definition and 
another comment stated that it is not clear what constitutes a genetic 
test under the definition.
Final Rule
    The final rule adopts without modification the definition of 
``genetic test'' as proposed in the NPRM. This definition is consistent 
with the definition found in the implementing regulations for sections 
101-103 of GINA and with which compliance is already required by most 
health plans. Under this definition, a test to determine whether an 
individual has a gene variant associated with breast cancer (such as 
the BRCA1 or BRCA2 variant) is a genetic test. Similarly, a test to 
determine whether an individual has a genetic variant associated with 
hereditary nonpolyposis colorectal cancer is a genetic test. Such tests 
are genetic in nature because they detect genotypes, mutations, or 
chromosomal changes. In contrast, medical tests that do not detect 
genotypes, mutations, or chromosomal changes, are not genetic tests. 
For example, HIV tests, complete blood counts, cholesterol tests, liver 
function tests, or tests for the presence of alcohol or drugs are not 
genetic tests. Consistent with the approach taken generally with the 
HIPAA Privacy Rule, the Department declines to include these examples 
in the regulatory text. The Department intends to issue future guidance 
on its web site about this issue.
d. Definition of ``Genetic Services''
Proposed Rule
    GINA provides that the term ``genetic information'' includes, with 
respect to any individual, any request for, or receipt of, genetic 
services, or participation in clinical research which includes genetic 
services, by such individual or any family member of such individual. 
Section 102(a)(4) of GINA defines ``genetic services'' to mean: (1) A 
genetic test; (2) genetic counseling (including obtaining, 
interpreting, or assessing genetic information); or (3) genetic 
education. Thus, the fact that an individual or a family member of the 
individual requested or received a genetic test, counseling, or 
education is information protected under GINA. Genetic counseling and 
education are means by which individuals can obtain information and 
support about potential risks for genetic diseases and disorders. The 
Department proposed to add the statutory definition of ``genetic 
services'' to the Privacy Rule.
Overview of Public Comments
    The Department received one comment requesting that the

[[Page 5663]]

Department add language to the definition to make clear that the 
genetic tests, genetic counseling, or genetic education of a family 
member of an individual are specifically covered by the term.
Final Rule
    The final rule adopts without modification the definition of 
``genetic services'' proposed in the NPRM. This definition is 
consistent with the definition found in the implementing regulations 
for sections 101-103 of GINA and with which compliance is already 
required by most health plans. The Department does not believe it 
necessary to add the term ``family member'' to the definition of 
``genetic services'' because the definition of ``genetic information'' 
makes clear that information about any request for, or receipt of, 
genetic services by a family member of an individual is protected 
information.
e. Definition of ``Family Member''
Proposed Rule
    The term ``family member'' is used in the definition of ``genetic 
information'' in GINA to indicate that an individual's genetic 
information also includes information about the genetic tests of the 
individual's family members, as well as family medical history. Section 
105 of GINA states that the term ``family member'' shall have the 
meaning given such term in section 2791 of the PHSA (42 U.S.C. 300gg-
91), as amended by GINA section 102(a)(4), which defines ``family 
member'' to mean, with respect to any individual: (1) A dependent (as 
such term is used for purposes of section 2701(f)(2) of the PHSA, 42 
U.S.C. 300gg(f)(2)) of such individual; or (2) any other individual who 
is a first-degree, second-degree, third-degree, or fourth-degree 
relative of such individual or of a dependent of the individual. 
Section 2701(f)(2) of the PHSA uses the term ``dependent'' to mean an 
individual who is or may become eligible for coverage under the terms 
of a group health plan because of a relationship to the plan 
participant.
    The Department proposed to incorporate GINA's definition of 
``family member'' into the Privacy Rule. The proposed rule also 
clarified within the definition that relatives by affinity (such as by 
marriage or adoption) are to be treated the same as relatives by 
consanguinity (that is, relatives who share a common biological 
ancestor) and that, in determining the degree of relationship, 
relatives by less than full consanguinity (such as half-siblings, who 
share only one parent) are treated the same as relatives by full 
consanguinity (such as siblings who share both parents). The NPRM 
explained that this broad interpretation of ``family member'' was 
consistent with GINA's legislative history, which suggests that the 
term ``family member'' is to be broadly construed to provide the 
maximum protection against discrimination.\18\ In addition, the 
Department proposed to include in the definition of ``family member'' 
non-exhaustive lists of persons who are first-, second-, third-, or 
fourth-degree relatives. Finally, within the definition of ``family 
member,'' the Department proposed to refer to the definition of 
``dependent'' contained in the implementing regulations at 45 CFR 
144.103 rather to the PHSA directly.
---------------------------------------------------------------------------

    \18\ See House Report 110-28, Part 2 at 27.
---------------------------------------------------------------------------

Overview of Public Comments
    One commenter expressed support for including relatives by affinity 
and by less than full consanguinity, agreeing that this interpretation 
is consistent with Congressional intent and provides the most privacy 
protection for individuals. This commenter also was supportive of 
including non-exhaustive lists of persons who are first-, second-, 
third-, and fourth-degree relatives to add clarity to the definition.
Final Rule
    As we received only support with regard to the definition of 
``family member,'' the final rule adopts without modification the 
definition of ``family member'' proposed in the NPRM. This definition 
also is consistent with the definition found in the implementing 
regulations for sections 101-103 of GINA and with which compliance is 
already required by most health plans.
f. Definition of ``Manifestation or Manifested''
Proposed Rule
    Although not separately defined by GINA, the terms 
``manifestation'' or ``manifested'' are used in GINA in three important 
contexts. First, GINA uses the term ``manifestation'' to incorporate 
``family medical history'' into the definition of ``genetic 
information'' by stating that ``genetic information'' includes, with 
respect to an individual, the manifestation of a disease or disorder in 
family members of such individual. Second, GINA uses the term 
``manifested'' to exclude from the definition of ``genetic test'' those 
tests that analyze a physical malady rather than genetic makeup by 
excluding from the definition analyses of proteins or metabolites that 
are directly related to a manifested disease, disorder, or pathological 
condition. Third, GINA uses the term ``manifestation'' to clarify that 
nothing in Title I of GINA should be construed to limit the ability of 
a health plan to adjust premiums or contribution amounts for a group 
health plan based on the manifestation of a disease or disorder of an 
individual enrolled in the plan.\19\ However, GINA provides that, in 
such case, the manifestation of a disease or disorder in one individual 
cannot also be used as genetic information about other group members 
and to further increase the premium for the plan. Similarly, for the 
individual health insurance market, GINA clarifies that it does not 
prohibit a health plan from establishing rules for eligibility for an 
individual to enroll in coverage or from adjusting premium or 
contribution amounts for an individual based on the manifestation of a 
disease or disorder in that individual or in a family member of such 
individual where such family member is covered under the individual's 
policy. However, under GINA, the manifestation of a disease or disorder 
in one individual cannot also be used as genetic information about 
other individuals and to further increase premiums or contribution 
amounts.
---------------------------------------------------------------------------

    \19\ We note that the Affordable Care Act, enacted on March 23, 
2010, includes a provision effective for plan years beginning on or 
after January 1, 2014, that prohibits insurers from discriminating 
against individuals or charging individuals higher rates based on 
pre-existing conditions. See Public Law 111-148.
---------------------------------------------------------------------------

    Given the importance of the term ``manifested'' or 
``manifestation,'' the Department proposed to define the term. Although 
GINA does not define the term, it is clear from the statutory 
definition of ``genetic test'' that a manifested disease or disorder is 
one ``that could reasonably be detected by a health care professional 
with appropriate training and expertise in the field of medicine 
involved.'' Accordingly, the proposed rule defined the term 
``manifestation or manifested'' to mean, with respect to a disease, 
disorder, or pathological condition, that an individual has been or 
could reasonably be diagnosed with the disease, disorder, or 
pathological condition by a health care professional with appropriate 
training and expertise in the field of medicine involved. The proposed 
definition also provided that a disease, disorder, or pathological 
condition is not manifested if the diagnosis is based principally on 
genetic information. This clarification was included due to the fact 
that variants of genes associated with diseases have varying degrees of 
predictive power for

[[Page 5664]]

later development of the disease. In some cases, an individual may have 
a genetic variant for a disease and yet never develop the disease. In 
other cases, the presence of a genetic variant indicates that the 
individual will eventually develop the disease, such as is the case 
with Huntington's disease. However, an individual may obtain a positive 
test that shows the genetic variant for Huntington's disease decades 
before any clinical symptoms appear. Under the proposed definition, the 
presence of a genetic variant alone would not constitute the diagnosis 
of a disease even in cases where it is certain the individual 
possessing the genetic variant will eventually develop the disease, 
such as with Huntington's disease.
Overview of Public Comments
    A few commenters expressed support for adopting the proposed 
definition of ``manifestation or manifested'' because it would provide 
clarity to the rule and the scope of the underwriting prohibition. One 
commenter requested that the Department include the examples provided 
in the preamble to the proposed rule directly within the regulatory 
definition. A few commenters raised concerns about the inclusion in the 
proposed definition of the clarification that ``a disease, disorder, or 
pathological condition is not manifested if the diagnosis is based 
principally on genetic information.'' It was argued that the proposed 
definition was too narrow because, for some diseases, disorders, or 
pathological conditions, a genetic test is the primary means of 
diagnosing the condition and further that genetic tests will more 
frequently be used to diagnose diseases or conditions in the future 
given the continuing evolution of genetics. It was also argued that the 
proposed definition went beyond GINA by indicating how a manifested 
disease or disorder is diagnosed.
Final Rule
    The final rule adopts without modification the definition of 
``manifestation or manifested'' proposed in the NPRM. The definition is 
consistent with the definition of ``manifestation or manifested'' found 
in the implementing regulations for the non-discrimination provisions 
of sections 101-103 of GINA and with which compliance is already 
required for most health plans. In developing this definition, the 
agencies consulted with technical experts at the National Human Genome 
Research Institute within the National Institutes of Health (NIH). In 
addition, for the reasons stated above regarding the varying degrees of 
predictive power genes provide in terms of ultimate development of a 
disease, as well as of the fact that a genetic test for a disease may 
precede clinical signs or symptoms by years or even decades, the 
Department does not believe that the definition is too narrow but 
rather that it is consistent with the provisions of GINA that protect 
genetic information from being used for health coverage determinations. 
Finally, the definition does not preclude a health care provider from 
performing one or more genetic tests to confirm a diagnosis so long as 
the diagnosis is not based solely or principally on the result of the 
genetic test.
    To illustrate the definition, we provide the following examples, 
which were also included in the NPRM:
     An individual may have a family member that has been 
diagnosed with Huntington's disease and also have a genetic test result 
that indicates the presence of the Huntington's disease gene variant in 
the individual. However, when the individual is examined by a 
neurologist (a physician with appropriate training and expertise for 
diagnosing Huntington's disease) because the individual has begun to 
suffer from occasional moodiness and disorientation (symptoms which are 
associated with Huntington's disease), and the results of the 
examination do not support a diagnosis of Huntington's disease, then 
Huntington's disease is not manifested with respect to the individual. 
In contrast, if the individual exhibits additional neurological and 
behavioral symptoms, and the results of the examination support a 
diagnosis of Huntington's disease by the neurologist, then Huntington's 
disease is manifested with respect to the individual.
     An individual has had several family members with colon 
cancer, one of whom underwent genetic testing which detected a mutation 
in the MSH2 gene associated with hereditary nonpolyposis colorectal 
cancer (HNPCC). On the recommendation of his physician (a health care 
professional with appropriate training and expertise in the field of 
medicine involved), the individual undergoes a targeted genetic test to 
look for the specific mutation found in the family member of the 
individual to determine if the individual himself is at increased risk 
for cancer. The genetic test shows that the individual also carries the 
mutation but the individual's colonoscopy indicates no signs of disease 
and the individual has no symptoms. Because the individual has no signs 
or symptoms of colorectal cancer that could be used by the individual's 
physician to diagnose the cancer, HNPCC is not a manifested disease 
with respect to the individual. In contrast, if the individual 
undergoes a colonoscopy or other medical tests that indicate the 
presence of HNPCC, and the individual's physician makes a diagnosis of 
HNPCC, HNPCC is a manifested disease with respect to the individual.
     If a health care professional with appropriate expertise 
makes a diagnosis based on the symptoms of the patient, and uses 
genetic tests to confirm the diagnosis, the disease will be considered 
manifested, despite the use of genetic information. For example, if a 
neurologist sees a patient with uncontrolled movements, a loss of 
intellectual faculties, and emotional disturbances, and the neurologist 
suspects the presence of Huntington's disease, the neurologist may 
confirm the diagnosis with a genetic test. While genetic information is 
used as part of the diagnosis, the genetic information is not the sole 
or principal basis for the diagnosis, and, therefore, the Huntington's 
disease would be considered a manifested disease of the patient.
    As with the definition of ``genetic test,'' the Department declines 
to include these examples in the regulatory text as this is 
inconsistent with the approach generally taken in the HIPAA Privacy 
Rule. The Department intends to issue future guidance on its web site 
with respect to the Rule's protections for genetic information.
g. Definition of ``Health Plan''
Proposed Rule
    The Department proposed to make technical corrections to update the 
definition of ``health plan'' by revising and renumbering the 
definition to: Include specific reference to the Voluntary Prescription 
Drug Benefit Program under Part D of title XVIII of the Social Security 
Act, 42 U.S.C. 1395w-101 through 1395w-152; remove the specific 
reference to the Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)), as this program 
is now part of the TRICARE health care program under title 10 of the 
United States Code, and revise the reference to the title 10 health 
care program accordingly to read more generally ``health care program 
for the uniformed services'' rather than ``health care program for 
active military personnel''; and reflect that Part C of title XVIII of 
the Social Security Act, 42 U.S.C. 1395w-21 through 1395w-28, is now 
called the Medicare Advantage program.

[[Page 5665]]

Overview of Public Comments
    The Department did not receive any comments on the proposed 
technical corrections to the definition of ``health plan.''
Final Rule
    The final rule incorporates the technical corrections to the 
definition.
4. Section 164.501--Definitions
    The Department proposed to modify Sec.  164.501 to add a definition 
of ``underwriting purposes'' and to make conforming changes to the 
definitions of ``payment'' and ``health care operations.''
a. Definition of ``Underwriting Purposes''
Proposed Rule
    Section 105 of GINA provides that the term ``underwriting 
purposes'' means, with respect to a group health plan, health insurance 
coverage, or Medicare supplemental policy: (A) Rules for, or 
determination of, eligibility (including enrollment and continued 
eligibility) for, or determination of, benefits under the plan, 
coverage, or policy; (B) the computation of premium or contribution 
amounts under the plan, coverage, or policy; (C) the application of any 
pre-existing condition exclusion under the plan, coverage, or policy; 
and (D) other activities related to the creation, renewal, or 
replacement of a contract of health insurance or health benefits.
    The Department proposed to adopt GINA's statutory definition of 
``underwriting purposes'' in Sec.  164.501 of the Privacy Rule, but 
also proposed to include certain clarifications for consistency with 
the regulations promulgated to implement the nondiscrimination 
provisions in sections 101 through 103 of GINA. In particular, the 
Department proposed to include a parenthetical to explain that the 
rules for, or determination of eligibility for, or determination of, 
benefits under the plan include changes in deductibles or other cost-
sharing mechanisms in return for activities such as completing a health 
risk assessment or participating in a wellness program. The proposed 
rule also included a parenthetical to make clear that the computation 
of premium or contribution amounts under the plan, coverage, or policy 
includes discounts, rebates, payments in kind, or other premium 
differential mechanisms in return for activities such as completing a 
health risk assessment or participating in a wellness program. Finally, 
we proposed a provision within the definition to clarify that 
``underwriting purposes'' does not include determinations of medical 
appropriateness where an individual seeks a benefit under the plan, 
coverage, or policy.
Overview of Public Comments
    About ten commenters addressed the proposed definition of 
``underwriting purposes.'' Four commenters generally supported the 
proposed definition. Other commenters expressed concern with the 
definition's inclusion of discounts, rebates, payments in kind, or 
other premium differential mechanisms in return for activities such as 
completing a health risk assessment (HRA) or participating in a 
wellness program. These commenters were concerned that prohibiting the 
use of genetic information, particularly family health history, for 
such purposes would have a detrimental impact on wellness and disease 
management programs. One commenter was concerned that the definition 
would prohibit dental insurance plans from offering preventive 
prognostic features to enrollees as part of the plan that test for 
susceptibility to dental decay and periodontal diseases. Enrollees that 
test positive would be provided with additional plan benefits as a 
supplement to the standard benefits to cover more aggressive preventive 
services. Finally, a few commenters were concerned that the broad 
definition of ``underwriting purposes'' would preclude plans from using 
HRAs and offering wellness programs even if no genetic information is 
requested or used. For example, one commenter was concerned that the 
definition would prohibit the use of ``personal habit'' information, 
such as information about smoking, or alcohol or drug use.
Final Rule
    The final rule adopts the proposed definition of ``underwriting 
purposes'' but moves the definition to within the underwriting 
prohibition at Sec.  164.502(a)(5)(i). This makes clear that the 
definition applies only for purposes of the prohibition on a health 
plan's use or disclosure of genetic information for underwriting 
purposes. As discussed more fully below with respect to the definition 
of ``health care operations,'' we move the definition of ``underwriting 
purposes'' and retain the term ``underwriting'' within the definition 
of ``health care operations'' in response to several public comments 
expressing concern that the proposed rule would no longer allow health 
plans to use or disclose any protected health information (i.e., even 
non-genetic information) for underwriting.
    The adopted definition is consistent with the definition 
promulgated in the interim final regulations to implement sections 101-
103 of GINA and with which compliance is already required by most 
health plans. We decline to exclude wellness programs and the use of 
HRAs from the definition because, as discussed in the interim final 
regulations issued by DOL, Treasury, and HHS, GINA Title I does not 
include an exception for wellness programs.\20\ However, we emphasize 
that health plans may continue to provide incentives for completing 
HRAs and participating in wellness programs in manners that do not 
involve the use or disclosure of genetic information. For example, 
``personal habit'' information about an individual, such as smoking 
status and alcohol and drug use, is not genetic information and thus, 
may be used by health plans for underwriting purposes. Further, DOL has 
issued guidance which makes clear that health plans may continue to 
collect family health history through the use of HRAs that are not tied 
to any reward.\21\
---------------------------------------------------------------------------

    \20\ See 74 FR 51669, footnote 12.
    \21\ See Q14 at https://www.dol.gov/ebsa/faqs/faq-GINA.html.
---------------------------------------------------------------------------

    In addition, the definition of ``underwriting purposes'' includes 
an exception for determinations of medical appropriateness where an 
individual seeks a benefit under the plan, coverage, or policy. Thus, 
to the extent that an individual is seeking a particular benefit under 
the plan and the health plan needs genetic information to determine the 
medical appropriateness of providing the benefit to the individual, the 
plan may use or disclose the minimum necessary genetic information to 
determine the medical appropriateness of providing the benefit. For 
example, if a health plan covers yearly mammograms for individuals 
under age 40 only in cases where the individual can demonstrate she is 
at increased risk for breast cancer, the plan can ask an individual 
under age 40 to provide the results of a genetic test or family health 
history and use such information to determine medical appropriateness 
prior to paying a claim for the mammogram. The medical appropriateness 
exception would also cover situations where a dental plan requires the 
results of a genetic test prior to offering a supplemental benefit for 
more aggressive preventive services to the extent the individual seeks 
such a benefit. For example, a dental plan may provide information to 
all of its enrollees about how to take advantage of

[[Page 5666]]

such a benefit, and when an enrollee contacts the plan about obtaining 
the benefit, may require the individual to take and provide the results 
of a genetic test to determine the medical appropriateness of providing 
the supplemental benefit to the individual.
b. Definition of ``Health Care Operations''
Proposed Rule
    The definition of ``health care operations'' at Sec.  164.501 
includes at paragraph (3) ``underwriting, premium rating, and other 
activities relating to the creation, renewal or replacement of a 
contract of health insurance or benefits * * *.'' To avoid confusion 
with the use of both ``underwriting'' and ``underwriting purposes'' in 
the Privacy Rule, and in recognition of the fact that the proposed 
definition of ``underwriting purposes'' includes activities that fall 
within both the definitions of ``payment'' and ``health care 
operations'' in the Rule, the Department proposed to remove the term 
``underwriting'' from the definition of ``health care operations.'' We 
also proposed to add the term ``enrollment'' to the express list of 
health care operations activities to make clear that the removal of the 
term ``underwriting'' would not impact the use or disclosure of 
protected health information that is not genetic information for 
enrollment purposes. These proposed revisions were not intended to be 
substantive changes to the definition and thus, health plans would be 
permitted to continue to use or disclose protected health information, 
except genetic information, for underwriting purposes.
Overview of Public Comments
    The Department received a few comments on the proposed revisions to 
the definition of ``health care operations.'' One commenter supported 
the inclusion of the word ``enrollment.'' A few commenters, however, 
expressed concern and confusion that the removal of the term 
``underwriting'' from the definition of ``health care operations'' 
would no longer permit uses or disclosures of even non-genetic 
protected health information for underwriting.
Final Rule
    Due to the confusion and concern expressed by the commenters 
regarding the removal of the term ``underwriting'' from the definition, 
we retain the term ``underwriting'' within the definition of ``health 
care operations'' at Sec.  164.501 However, to make clear that a health 
plan may continue to use or disclose only protected health information 
that is not genetic information for underwriting, we include a 
reference to the prohibition on using or disclosing genetic information 
for underwriting purposes within the definition. The final rule also 
retains the term ``enrollment'' within the definition because we 
believe it is helpful to clarify that this is a permitted health care 
operations activity.
c. Definition of ``Payment''
Proposed Rule
    The definition of ``payment'' in the Privacy Rule at Sec.  164.501 
includes activities, such as ``determinations of eligibility or 
coverage'' by a health plan, some of which may fall within the 
definition of ``underwriting purposes.'' To avoid any implication that 
a health plan would be permitted to use or disclose protected health 
information for ``payment'' purposes that are otherwise prohibited by 
the underwriting prohibition, we proposed to include a cross-reference 
in the definition of ``payment'' to the prohibition. Further, we 
believed the inclusion of such a cross-reference to be necessary to 
properly align the definition of ``payment'' in the Privacy Rule with 
the nondiscrimination provisions of GINA Title I and their implementing 
regulations. GINA provides a rule of construction at section 102(a)(2), 
which adds paragraph 2702(c)(3) of the PHSA, to make clear that health 
plans are not prohibited from obtaining and using the results of a 
genetic test in making determinations regarding payment, as such term 
is defined by the HIPAA Privacy Rule. Thus, the proposed exception 
would make clear that GINA's rule of construction regarding payment 
does not allow a health plan to use the results of genetic tests for 
activities that would otherwise constitute ``underwriting purposes,'' 
such as for determinations of eligibility for benefits.
Overview of Public Comments
    The Department received two comments on the proposed change to the 
definition of ``payment,'' one supporting the change and one indicating 
it is unnecessary.
Final Rule
    For the reasons described above, the final rule adopts the proposed 
change to the definition of ``payment.''
5. Section 164.502(a)--Uses and Disclosures of Protected Health 
Information: General Rules
a. Prohibition
Proposed Rule
    To implement section 105 of GINA, the Department proposed a new 
prohibition on health plans using or disclosing protected health 
information that is genetic information for underwriting purposes at 
Sec.  164.502(a)(3). We made clear that such a provision would operate 
notwithstanding the other provisions in the Privacy Rule permitting 
uses and disclosures, and proposed a conforming change to Sec.  
164.502(a)(1)(iv) to clarify further that an authorization could not be 
used to permit a use or disclosure of genetic information for 
underwriting purposes.
Overview of Public Comments
    Some commenters expressly supported the proposed modification to 
the Privacy Rule to include the prohibition, and the proposed 
clarification that an authorization cannot be used to otherwise permit 
a prohibited use or disclosure of genetic information. One commenter 
suggested adding the examples from the preamble to the regulatory text, 
as well as language to the regulatory text to clarify that the 
prohibition applies to genetic information obtained by a health plan 
prior to the passage of GINA.
Final Rule
    The final rule adopts the proposed prohibition on a health plan's 
use or disclosure of genetic information for underwriting purposes, 
except with regard to health plans that are issuers of long term care 
policies, as explained above in section VI.C.1 regarding to which plans 
the final rule applies. This prohibition, located in this final rule at 
Sec.  164.502(a)(5), applies to all genetic information from the 
compliance date of these modifications forward, regardless of when or 
where the genetic information originated. We do not believe a 
clarification of this fact in the regulatory text is necessary.
    Consistent with Sec. 101(a) of the statute, this prohibition should 
not be construed to limit the ability of a health plan to adjust 
premiums or contribution amounts for a group health plan based on the 
manifestation of a disease or disorder of an individual enrolled in the 
plan, even though a health plan cannot use the manifestation of a 
disease or disorder in one individual as genetic information about 
other group members and to further increase the premium for the plan. 
Similarly, for the individual

[[Page 5667]]

health insurance market, a health plan is not prohibited from 
establishing rules for eligibility for an individual to enroll in 
coverage or from adjusting premium or contribution amounts for an 
individual based on the manifestation of a disease or disorder in that 
individual or in a family member of such individual where such family 
member is covered under the individual's policy, even though the health 
plan cannot use the manifestation of a disease or disorder in one 
individual as genetic information about other individuals to further 
increase premiums or contribution amounts for those other individuals.
    To illustrate how the prohibition operates, we reiterate the 
following examples (but for the reasons explained above, decline to 
include them in the regulatory text). If a health insurance issuer, 
with respect to an employer-sponsored group health plan, uses an 
individual's family medical history or the results of genetic tests 
maintained in the group health plan's claims experience information to 
adjust the plan's blended, aggregate premium rate for the upcoming 
year, the issuer would be using protected health information that is 
genetic information for underwriting purposes in violation of Sec.  
164.502(a)(5)(i). Similarly, if a group health plan uses family medical 
history provided by an individual incidental to the collection of other 
information on a health risk assessment to grant a premium reduction to 
the individual, the group health plan would be using genetic 
information for underwriting purposes in violation of Sec.  
164.502(a)(5)(i).
    The prohibition is limited to health plans. A health care provider 
may use or disclose genetic information as it sees fit for treatment of 
an individual. If a covered entity, such as an HMO, acts as both a 
health plan and health care provider, it may use genetic information 
for purposes of treatment, to determine the medical appropriateness of 
a benefit, and as otherwise permitted by the Privacy Rule, but may not 
use such genetic information for underwriting purposes. Such covered 
entities, in particular, should ensure that appropriate staff members 
are trained on the permissible and impermissible uses of genetic 
information.
6. Section 164.504(f)(1)(ii)--Requirements for Group Health Plans
Proposed Rule
    Section 164.504(f)(1)(ii) permits a group health plan, or health 
insurance issuer or HMO with respect to the group health plan, to 
disclose summary health information to the plan sponsor if the plan 
sponsor requests the information for the purpose of obtaining premium 
bids from health plans for providing health insurance coverage under 
the group health plan, or for modifying, amending, or terminating the 
group health plan. As this provision permits activities that constitute 
``underwriting purposes,'' as defined by GINA and the proposed rule, 
the Department proposed to modify Sec.  164.504(f)(1)(ii) to clarify 
that Sec.  164.504(f)(1)(ii) would not allow a disclosure of protected 
health information that is otherwise prohibited by the underwriting 
prohibition.
Overview of Public Comments
    The Department received one comment in support of this 
modification.
Final Rule
    The final rule adopts the modification to Sec.  164.504(f)(1)(ii).
7. Section 164.506--Uses and Disclosures To Carry Out Treatment, 
Payment, or Health Care Operations
Proposed Rule
    Section 164.506(a) of the Privacy Rule sets out the uses and 
disclosures a covered entity is permitted to make to carry out 
treatment, payment, or health care operations. In light of the fact 
that the proposed definition of ``underwriting purposes'' encompasses 
activities that fall both within the definitions of ``payment'' and 
``health care operations'' under the Privacy Rule, the Department 
proposed to add a cross-reference in Sec.  164.506(a) to the new 
underwriting prohibition to make clear that Sec.  164.506 of the 
Privacy Rule would not permit health plans to use or disclose an 
individual's protected health information that is genetic information 
for underwriting, even though such a use or disclosure is considered 
payment or health care operations.
Overview of Public Comments
    The Department received one comment in support of this 
modification.
Final Rule
    The final rule adopts the modification to Sec.  164.506(a).
8. Section 164.514(g)--Uses and Disclosures for Activities Relating to 
the Creation, Renewal, or Replacement of a Contract of Health Insurance 
or Health Benefits
Proposed Rule
    Section 164.514(g) of the Privacy Rule prohibits a health plan that 
receives protected health information for underwriting, premium rating, 
or other activities relating to the creation, renewal, or replacement 
of a contract for health insurance or health benefits, from using or 
disclosing such protected health information for any other purpose 
(except as required by law) if the health insurance or health benefits 
are not placed with the health plan. The Department proposed conforming 
amendments to Sec.  164.514(g) to: (1) Remove the term ``underwriting'' 
to avoid confusion given the new definition of ``underwriting 
purposes,'' which encompasses the activities described above; and (2) 
make clear that a health plan that receives protected health 
information that is genetic information for the above purposes is not 
permitted to use or disclose such information for underwriting 
purposes. The proposed removal of the term ``underwriting'' from Sec.  
164.514(g) was not intended as a substantive change to the scope of the 
provision.
Overview of Public Comments
    One commenter suggested that the Department reconsider the removal 
of the term ``underwriting'' from this section as it could be viewed as 
a substantive change to the scope of the provision, and expressed 
concern that the modification would prohibit a health plan from using 
or disclosing genetic information as required by other law.
Final Rule
    The final rule modifies Sec.  164.514(g) to refer to the 
prohibition, now at Sec.  164.502(a)(5). However, as with the 
definition of ``health care operations,'' we do not remove the term 
``underwriting'' to avoid unnecessary confusion. We also clarify that a 
health plan may continue to use or disclose protected health 
information that is genetic information as required by other law, 
except to the extent doing so would be inconsistent with the 
prohibition in GINA and this final rule at Sec.  164.502(a)(5)(i) 
against using or disclosing genetic information for underwriting 
purposes.
9. Section 164.520--Notice of Privacy Practices for Protected Health 
Information
Proposed Rule
    As discussed above in Section IV with regard to the changes made to 
Sec.  164.520 pursuant to the HITECH Act, Sec.  164.520 of the Privacy 
Rule sets out the requirements for most covered entities to have and 
distribute a Notice of Privacy Practices (NPP). With respect to the 
NPP, the Department believes that

[[Page 5668]]

individuals should be informed of their new rights and protections 
under this rule with respect to genetic information in the health 
coverage context. Thus, the Department proposed in Sec.  
164.520(b)(1)(iii)(D) to require health plans that use or disclose 
protected health information for underwriting to include a statement in 
their NPP that they are prohibited from using or disclosing protected 
health information that is genetic information about an individual for 
such purposes. Without such a specific statement, individuals would not 
be aware of this restriction and the general statements regarding 
permitted uses and disclosures for treatment, payment, and health care 
operations in the NPP of a health plan that performs underwriting would 
not be accurate (i.e., the NPP would state that the health plan may use 
or disclose PHI for purposes of payment and health care operations, 
which would not be true with respect to genetic information when the 
use or disclosure is for underwriting purposes).
    The preamble explained that the proposed prohibition on using or 
disclosing genetic information for underwriting and the proposed 
requirement to explicitly include a statement regarding the prohibition 
would represent a material change to the NPP of health plans that 
perform underwriting, and the Privacy Rule requires at Sec.  
164.520(c)(1)(i)(C) that plans provide notice to individuals covered by 
the plan within 60 days of any material revision to the NPP. As in the 
NPRM issued to implement HITECH Act provisions, the Department 
requested comment on ways to inform individuals of this change to 
privacy practices without unduly burdening health plans and provided 
several possible alternatives. The Department also explained that the 
obligation to revise the NPP for the reasons described above would fall 
only on health plans that intend to use or disclose protected health 
information for activities that constitute ``underwriting purposes.'' 
Thus, health care providers, as well as health plans that do not 
perform underwriting, would not be required to revise their NPPs.
Overview of Public Comments
    One commenter supported informing individuals in the NPP that 
health plans are prohibited from using or disclosing genetic 
information for underwriting purposes. One commenter asked the 
Department to clarify that where a health plan has already made a 
change to the NPP to comply with a statute, such as with GINA, and has 
sent the revised NPP to members, the health plan would not be required 
to make another change to its NPP to comply with the regulation.
    A number of comments addressed the issue of the timing and manner 
of distributing revised NPPs. In general, commenters recommended 
various alternatives, including: (1) Require health plans to provide a 
revised NPP to members in the next annual mailing; (2) require health 
plans to provide either a revised NPP or a supplement to members in the 
next annual mailing and to post the revised NPP or supplement on the 
health plan Web site immediately; (3) retain the existing 60-day 
deadline for providing a revised NPP to individuals or provide for a 
30-day extension; and (4) allow for distribution via electronic 
processes for more efficient delivery of NPPs to members.
Final Rule
    The final rule adopts the requirement for health plans that perform 
underwriting to include in their NPPs a statement that they are 
prohibited from using or disclosing genetic information for such 
purposes, except with regard to issuers of long term care policies, 
which are not subject to the underwriting prohibition. Health plans 
that have already modified and redistributed their NPPs to reflect the 
statutory prohibition are not required to do so again, provided the 
changes to the NPP are consistent with this rule. We also modify the 
NPP distribution requirements for health plans where there are material 
changes. These modifications are discussed above in Section IV with 
regard to material changes to the NPP resulting from changes pursuant 
to the HITECH Act.
10. Other Comments
    Comment: One commenter requested clarification on preemption with 
regard to the new underwriting prohibition.
    Response: Pursuant to subpart B of Part 160 of the HIPAA 
Administrative Simplification Rules, to the extent that a provision of 
State law requires a use or disclosure of genetic information for an 
activity that would otherwise constitute ``underwriting purposes,'' 
such State law would be preempted by the Privacy Rule unless an 
exception at Sec.  160.203 applies. In contrast, State laws that 
provide greater privacy protection for genetic information than the 
Privacy Rule continue to remain in place.
    Comment: One commenter asked how a health care provider should 
ensure that releasing an individual's information to a health plan will 
not result in an inappropriate disclosure to the health plan for 
underwriting purposes. This commenter also asked what the rules are for 
access to protected health information about an individual by the 
individual's extended family members seeking to determine if they are 
affected by a genetic trait.
    Response: With respect to the first question, these rules do not 
apply to health care providers. A covered health provider may continue 
to disclose protected health information, including genetic 
information, where doing so meets the minimum necessary standard, to 
health plans for payment purposes. Under this Rule, the onus is on the 
health plan to not use or disclose protected health information it 
receives for such purposes for prohibited underwriting purposes. 
Further, health plans continue to be required by the Privacy Rule to 
limit requests of protected health information to the minimum necessary 
when requesting such information from other covered entities. The 
regulations implementing sections 101-103 of GINA also restrict the 
ability of health plans covered by those rules to request genetic 
information.
    With respect to the second question, to the extent that an 
individual's genetic information is needed for the treatment purposes 
of a family member, a covered health care provider is permitted to 
disclose such information, subject to any agreed-upon restriction, to 
another provider for the treatment of the family member. See FAQ 
512 at https://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_request_a_restriction/512.html, which makes clear that a health care 
provider may share genetic information about an individual with 
providers treating family members of the individual who are seeking to 
identify their own genetic health risks, provided the individual has 
not requested and the health care provider has not agreed to a 
restriction on such disclosure.
    Comment: One commenter requested that the rule require that health 
plans conducting or sponsoring research involving genetic information 
provide research participants with an explicit statement to ensure the 
individuals understand that such information may not and will not be 
used for underwriting purposes.
    Response: We decline to require such a statement. The regulations 
implementing sections 101-103 of GINA already require a statement to 
that effect as a condition of the health plan requesting that a 
research participant undergo a genetic test as part of the research. 
See, e.g., 45 CFR 144.122(c)(5). Further, this rule requires that 
health plans that perform underwriting inform individuals through their 
NPPs that the

[[Page 5669]]

plans may not use or disclose genetic information for such purposes.
    Comment: One commenter asked that the HIPAA de-identification 
standard be strengthened to provide better protection for health 
information, including genetic information.
    Response: The Privacy Rule's de-identification standard is outside 
the scope of this rulemaking.

VII. Regulatory Analyses

A. Introduction

    We have prepared a regulatory impact statement in compliance with 
Executive Order 12866 (September 1993, Regulatory Planning and Review), 
Executive Order 13563 (January 2011, Improving Regulation and 
Regulatory Review), the Regulatory Flexibility Act (RFA) (September 19, 
1980, Pub. L. 96-354), the Unfunded Mandates Reform Act of 1995 (UMRA) 
(March 22, 1995, Pub. L. 104-4), and Executive Order 13132 on 
Federalism. We begin with a discussion of Executive Orders 12866 and 
13563 and then present a more detailed analysis of costs and benefits. 
Finally, relying on information explained in the cost-benefit analysis, 
we discuss issues related to the RFA, UMRA, and Federalism 
considerations.
1. Executive Order 12866 and Executive Order 13563
    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. A regulatory impact analysis must be prepared for major 
rules that have economically significant effects ($100 million or more 
in any one year) or adversely affect in a material way the economy, a 
sector of the economy, productivity, competition, jobs, the 
environment, public health or safety, or State, local, or Tribal 
government or communities (58 FR 51741). Based on the following 
analysis, this rule has been designated as an economically significant 
regulatory action within the meaning of section 3(f)(4) of Executive 
Order 12866. Accordingly, the rule has been reviewed by the Office of 
Management and Budget.
    To summarize, we estimate that the rule will result in new first-
year costs of between $114 million and $225.4 million. Annualizing the 
midpoints of our cost estimates at three and seven percent over ten 
years produces costs of $35.2 million and $42.8 million, 
respectively.\22\
---------------------------------------------------------------------------

    \22\ The breach notification provisions are the rule's only 
source of ongoing, annual costs. Therefore, with respect to breach, 
we annualize costs incurred on an annual basis. For the other 
provisions, we calculate annualized opportunity costs based on costs 
expended only in the first year of implementation.
---------------------------------------------------------------------------

    We estimate that the effects of the requirement for covered 
entities (including indirect costs incurred by third party 
administrators, which frequently send out notices on behalf of health 
plans) to issue new notices of privacy practices, as a result of the 
final changes to the HIPAA Privacy Rule under both the HITECH Act and 
GINA, will result in new costs of $55.9 million within 12 months of the 
effective date of the final rule. Annualizing the costs over 10 years 
at 3 percent and 7 percent results in annual NPP costs of approximately 
$6.6 million and $8 million, respectively. We have revised our cost 
estimate for NPP revisions since the proposed rule to reflect the 
increased flexibility provided in the final rule, which allows health 
plans to include their new NPPs in their usual, annual mailing rather 
than send them to individuals in a separate mailing. We also note that 
combining GINA and HITECH requirements into a single rule results in 
lower costs than would be incurred if covered entities were required to 
revise their NPPs multiple times to comply with separate rulemakings.
    Additionally, we have revised the annual estimated cost to comply 
with the final breach notification provisions. As we discuss below, we 
acknowledge there may still be some underreporting of breaches, however 
we do anticipate that the overall number of breaches will decrease in 
the future. As such, Table 2 below shows the costs of complying with 
the provisions of the breach notification final rule, which have been 
revised based on our experience with the number of breach notifications 
we have received from covered entities during calendar years 2010 and 
2011. We estimate the total annual cost for the breach notification 
rule to be approximately $14.5 million. Annualizing over 10 years at 3% 
and 7% produces annual breach implementation costs of approximately $17 
million and $20.6 million.
    With regard to the business associate provisions of the final rule, 
we assume that business associates currently comply with the HIPAA 
Privacy Rule use and disclosure provisions as required by their 
business associate contracts. However, with regard to the Security 
Rule, while we continue to believe that most business associates have 
implemented security protections that meet the Security Rule 
requirements as part of the assurances provided to covered entities 
through their contracts, we recognize that some smaller or less 
sophisticated business associates may not have engaged in the formal 
administrative safeguards required by the HIPAA Security Rule, and may 
not have written policies and procedures for compliance. For these 
business associates, we estimate that the costs to come into compliance 
with the Security Rule will be between approximately $22.6 million and 
$113 million. Annualizing the midpoint estimate ($67.8 million) at 3 
percent and 7 percent produces costs of $7.9 million and $9.7 million, 
respectively.
    Although we also continue to believe that most business associates 
have made a good faith attempt to conform their agreements with 
subcontractors to HIPAA requirements, we acknowledge the possibility 
that some business associates may make such efforts for the first time 
now that they and their subcontractors are subject to direct liability 
under the Rules. For this fraction of business associates, we estimate 
that the costs to bring subcontracts into compliance with the business 
associate agreement requirements will be between $21 million and $42 
million. Annualizing the midpoint of those estimates ($31.5 million) at 
3 percent and 7 percent results in costs of $3.7 million and $4.5 
million, respectively.
    There may be other costs we are not able to monetize because we 
lack data, and the rule may produce savings that may offset some or all 
of the added costs. We discuss these unquantified costs and benefits of 
the rule at the end of the Regulatory Impact Analysis.
    As a result of the economic impact, and other costs that are 
described but not quantified in the regulatory analysis below, OMB has 
determined that this rule is an economically significant regulatory 
action within the meaning of section 3(f)(4) of Executive Order 12866. 
We present our analysis of the costs and benefits of the rule in 
sections C and D below.
2. Entities Subject to the Rule
    This rule impacts covered health care providers, health insurance 
issuers, and third party administrators acting on behalf of health 
plans, which we estimate to total 698,238 entities. The rule also 
applies to approximately 1-2

[[Page 5670]]

million business associates and an unknown number of 
subcontractors.\23\
---------------------------------------------------------------------------

    \23\ Although we do not have data on the numbers of business 
associates, our enforcement experience leads us to believe that each 
covered entity has, on average, two to three business associates, 
for a total of 1-2 million business associates. This number likely 
overestimates the number of business associates, as some entities 
may be business associates to multiple covered entities. We do not 
have a basis for estimating the number of subcontractors that will 
be subject to the rule.
---------------------------------------------------------------------------

    Table 1 below shows the number of covered entities by class of 
provider and insurer that will be affected by the Rule.

                             TABLE 1--Number of Covered Entities by NAICS CODE \24\
----------------------------------------------------------------------------------------------------------------
                                                                                                    Estimated
                    NAICS                           Providers/suppliers           Number of      number of small
                                                                                  entities        entities \25\
----------------------------------------------------------------------------------------------------------------
622.........................................  Hospitals (General Medical and             4,060             4,060
                                               Surgical, Psychiatric,
                                               Substance Abuse, Other
                                               Specialty).
623.........................................  Nursing Facilities (Nursing               34,400            34,400
                                               Care Facilities, Residential
                                               Mental Retardation
                                               Facilities, Residential
                                               Mental Health and Substance
                                               Abuse Facilities, Community
                                               Care Facilities for the
                                               Elderly, Continuing Care
                                               Retirement Communities).
6211-6213...................................  Office of MDs, DOs, Mental               419,286           419,286
                                               Health Practitioners,
                                               Dentists, PT, OT, ST,
                                               Audiologists.
6214........................................  Outpatient Care Centers                   13,962            13,962
                                               (Family Planning Centers,
                                               Outpatient Mental Health and
                                               Drug Abuse Centers, Other
                                               Outpatient Health Centers,
                                               HMO Medical Centers, Kidney
                                               Dialysis Centers,
                                               Freestanding Ambulatory
                                               Surgical and Emergency
                                               Centers, All Other Outpatient
                                               Care Centers).
6215........................................  Medical Diagnostic, and                    7,879             7,879
                                               Imaging Service Covered
                                               Entities.
6216........................................  Home Health Service Covered               15,329            15,329
                                               Entities.
6219........................................  Other Ambulatory Care Service              5,879             5,879
                                               Covered Entities (Ambulance
                                               and Other).
N/A.........................................  Durable Medical Equipment                107,567           107,567
                                               Suppliers \26\.
4611........................................  Pharmacies \27\...............            88,396            88,396
524114......................................  Health Insurance Carriers \28\               730               276
524292......................................  Third Party Administrators                   750               750
                                               Working on Behalf of Covered
                                               Health Plans \29\.
                                                                             -----------------------------------
    Total Entities..........................  ..............................           698,238           697,784
----------------------------------------------------------------------------------------------------------------

     
---------------------------------------------------------------------------

    \24\ Office of Advocacy, SBA, https://www.sba.gov/advo/research/data.html.
    \25\ Because the vast majority of covered providers are small 
entities, we include all providers in our estimates of small 
providers.
    \26\ Centers for Medicare & Medicaid Services covered entities.
    \27\ The Chain Pharmacy Industry https://www.nacds.org/wmspage.cfm?parm1=507.
    \28\ Source: HHS ASPE analysis of 2010 NAIC Supplemental Health 
Care Exhibit data.
    \29\ We include third party administrators in our count of 
covered entities, although they are business associates, because the 
nature of their representation of the majority of ERISA plans makes 
them an appropriate ``surrogate'' for those plans.
---------------------------------------------------------------------------

B. Why is this rule needed?

    This final rule is needed to strengthen and expand the privacy and 
security protections for individuals' health information and privacy 
rights established under the HIPAA, as mandated by the HITECH Act and 
GINA. These enhancements are necessary to ensure continued adequate 
protections for health information, as well as trust in the health care 
system, particularly as the adoption and use of electronic health 
records increases. Importantly, among other changes, the rule makes 
business associates of covered entities directly liable for Federal 
penalties for failures to comply with certain provisions of the rule. 
This expansion in liability closes a large gap in protection that 
existed prior to these modifications with respect to business 
associates, which are the cause of many of the security breaches for 
which the Department receives breach reports.
    The final rule also lays out standards for when individuals and the 
Secretary must be informed that a breach of protected health 
information has occurred so that individuals may take measures to 
protect themselves from risks associated with the breach. By 
establishing requirements for notifying individuals and making business 
associates directly liable for complying with certain provisions of the 
Privacy and Security rules, we expect the number of breaches of 
protected health information to decline over time.
    This final rule also makes changes to the HIPAA rules, such as 
those that streamline the research authorization process, that are 
designed to increase flexibility for, and decrease burden on, the 
regulated entities, as well as to harmonize certain requirements with 
those under the Department's Human Subjects Protections regulations.

C. Costs

1. Breach Notification Costs
    The preamble to the interim final rule published on August 24, 
2009, contained a regulatory impact statement estimating the economic 
burden of implementing the rule. We are revising that impact statement 
in this final rule based upon our experience with collecting breach 
notifications from covered entities during calendar years 2010 and 
2011.
    The analysis that follows is very similar to the analysis set forth 
in the preamble to the interim final rule; however, instead of using 
information

[[Page 5671]]

from https://www.datalossdb.org to estimate the number of breaches that 
would occur each year, we have used the breach notifications provided 
to the Secretary during calendar years 2010 and 2011 to project the 
ongoing, annual costs to covered entities for implementing the breach 
notification provisions. Several commenters noted that significantly 
more breaches would occur each year than the interim final rule 
anticipated, and we acknowledge that the estimates provided in the 
interim final rule were significantly lower than our experience has 
been to date. As such, we believe that relying on our experience 
receiving notifications addresses the concerns of the commenters who 
thought we were underestimating the number of breaches that would occur 
each year. Based upon this information, we have revised the projected 
annual cost to implement these breach notification provisions.
    We acknowledge that there may still be some underreporting of 
breaches as the obligations of the regulation may not yet have 
penetrated down to all covered entities and business associates. At the 
same time, we expect that some types of incidents being reported today 
may not in the future as covered entities and business associates 
become more familiar with the definition of breach and more adept at 
performing risk assessments and determining whether a breach has 
occurred. We have received breach notifications from covered entities 
in several situations in which notification was not necessary, such as 
where there was no underlying impermissible use or disclosure under the 
Privacy Rule or where one of the exceptions to breach clearly applied 
to the situation. This is the type of over-reporting that we expect to 
diminish in the future. Additionally, covered entities and business 
associates are beginning to recognize areas of potential weakness and 
to take systemic actions to prevent breaches from occurring in the 
future, such as encrypting portable devices to avoid having to provide 
breach notifications in the event the device is lost or stolen.
    Table 2 shows the costs of the provisions of the final rule based 
on the breach notifications we have received from covered entities 
during calendar years 2010 and 2011. We also present the costs required 
for investigating breaches and the amount of time we anticipate 
individuals will spend calling the toll-free number for substitute 
notice. We estimate the total cost for the breach notification rule to 
be approximately $14.5 million. Discounting at 3 percent and 7 percent 
and annualizing over 10 years results in costs of $17 million and $20.6 
million, respectively.

               Table 2--Summary of Annual Compliance Cost for Breach Notification in 2011 Dollars
----------------------------------------------------------------------------------------------------------------
                                                     Number of
          Cost elements              Number of       affected       Cost/breach    Cost/affected       Cost
                                     breaches       individuals                     individuals
----------------------------------------------------------------------------------------------------------------
E-mail and 1st Class Mail.......          19,000       6,710,000            $182          $0.517      $3,467,122
Substitute Notices: Media Notice           1,190       6,605,500             480           0.086         571,200
Substitute Notices: Toll-Free              1,190    \30\ 660,550           1,526           2.750       1,816,379
 Number.........................
Imputed cost to affected                   1,190         660,550           1,725           3.108       2,052,665
 individuals who call the toll-
 free line......................
Notice to Media of Breach: Over              250       6,600,000              62           0.002          15,420
 500............................
Report to the Secretary: 500 or              250       6,600,000              62           0.002          15,420
 More...........................
Investigation Costs: Under 500..          18,750         324,050             281           16.29       5,277,456
Investigation Costs: 500 or More             250       6,600,000           3,350           0.127         837,500
Annual Report to the Secretary:           18,750         110,000              23            3.84         422,438
 Under 500......................
                                 -------------------------------------------------------------------------------
    Total Cost..................  ..............  ..............  ..............  ..............      14,475,600
----------------------------------------------------------------------------------------------------------------
\30\ As we explain below in the section on substitute notice, we project that 6,605,500 individuals will be
  affected by breaches that may require substitute notice, but we expect that at most 10% of affected
  individuals will call the toll-free line for information.

    In this revised analysis, we rely entirely on our experience with 
breach notifications received by the Secretary during calendar years 
2010 and 2011, for projecting the ongoing, annual costs of the breach 
notification rule. Based on our experience in those years, we project 
the likely number of breaches, number of affected individuals, and 
costs associated with this regulation. We have not attempted to predict 
future costs because, as discussed above, while we anticipate the 
overall number of breaches and the overall costs of implementing the 
breach notification provisions to fall over time, we do not currently 
have enough data to establish such a trend.
Affected Entities
    The entities affected by the breach notification regulation are 
outlined in the impact statement of the interim final rule. HIPAA 
covered entities and their business associates must comply with these 
regulations. We estimate that approximately 700,000 HIPAA covered 
entities will be subject to the final rule, although many fewer will 
experience a breach requiring them to fulfill the breach notification 
requirements.
How many breaches will require notification?
    Although this final rule modifies the definition of breach at Sec.  
164.402 to remove the harm standard, we do not believe that this will 
have a significant effect on the number of breaches reported to HHS or 
on the number of individuals affected. As discussed in Section V above, 
this final rule removes the harm standard and implements a more 
objective risk assessment for evaluating whether an impermissible use 
or disclosure is a breach. As a result, covered entities must still 
perform a risk assessment following an impermissible use or disclosure 
of protected health information to determine the probability that the 
protected health information has been compromised. Events such as 
hacking into an unencrypted database and theft of unsecured protected 
health information would in almost all cases constitute a breach in 
this final rule, just as they would under the interim final rule's 
definition of breach. However, given the further clarity in this rule 
as to the standard and factors to be considered, other incidents that 
may not have been considered a breach under the interim final rule may 
be considered a breach under this final rule (or in some cases, vice 
versa).
    Instead of relying on data from https://www.datalossdb.org to 
estimate the number of breaches and the number of individuals affected 
by such breaches

[[Page 5672]]

each year, this final rule uses breach notification reports submitted 
to the Secretary by covered entities to revise our previous estimates. 
We believe these reports provide us with much more complete information 
from which to project the overall cost of implementing this regulation.
    Beginning September 23, 2009, covered entities were obligated to 
notify the Secretary of all breaches of protected health information 
occurring on or after that date. As of September 23, 2009, covered 
entities must report breaches affecting 500 or more individuals to the 
Secretary without unreasonable delay and in no case later than 60 days 
from discovery of the breach, while breaches affecting fewer 
individuals must be reported to the Secretary within 60 days of the end 
of the calendar year in which the breach occurred.
    Based on our experience receiving breach notifications during 
calendar years 2010 and 2011, we project that HHS will receive 
approximately 19,000 breach notifications from covered entities 
annually or, on average, approximately 1,583 breach notifications each 
month. Approximately 250 such notifications will report breaches 
affecting 500 or more individuals and the remaining 18,750 reported 
breaches will affect fewer than 500 individuals.
    We project that approximately 6.71 million individuals will be 
affected by the 19,000 breaches reported to HHS each year, which is, on 
average, roughly 353 affected individuals per breach.
    As in the interim final rule, we have assumed that no State has a 
notification requirement, despite the fact that this will overestimate 
the burden imposed on covered entities because covered entities have 
trained their staffs and have prepared procedures to follow when a 
breach occurs to comply with existing breach notification requirements 
of most of the States. To ameliorate the overstatement of our cost 
estimate somewhat, we have assumed the costs for training personnel and 
for developing procedures for the most part have already been expended 
and are therefore in the baseline. We did not include these costs in 
our analysis of the annual costs.
    We have followed the same approach to estimating the costs as 
outlined in the interim final rule. We examined the cost of notifying 
affected individuals by first class mail, issuing substitute notice in 
major media or on a Web site along with a toll-free phone number, 
notifying prominent media in the event of a breach involving more than 
500 individuals, and notifying the Secretary of a breach, as well as 
the costs of investigating and documenting breaches. Some commenters 
requested that we include the cost of modifying contracts with business 
associates to potentially define the breach notification obligations 
between the parties. We note that costs to modify business associate 
agreements generally to comply with the new HITECH provisions are 
discussed elsewhere in this impact analysis.
Cost of Notifying Affected Individuals by First Class Mail or Email
    Section 164.404 requires all covered entities to notify affected 
individuals of a breach either by first class mail, or if the 
individual has agreed, by email. In the interim final rule, we assumed 
that approximately one half of notices sent to affected individuals 
would be sent via first-class mail, while the rest would be sent via 
email. By comparison, in the Federal Trade Commission's (FTC) final 
breach notification rule, the FTC assumed that 90 percent of the 
notices sent to individuals affected by a breach requiring notification 
under the FTC rule would be emailed and only 10 percent would be sent 
by regular first class mail. Since the firms that the FTC regulates are 
primarily web-based, assuming that the vast majority of communications 
would be conducted through email is a reasonable assumption. For HIPAA 
covered entities, however, 90 percent of which are small businesses or 
nonprofit organizations that engage the entire U.S. population in 
providing health care services, we believed that notification through 
email would be much more limited than in the case of the entities the 
FTC regulates. Some physician offices have been slow to adopt email 
communication with their patients for various reasons. We, therefore, 
assumed that only 50 percent of individuals affected as a result of a 
breach of unsecured protected health information would receive email 
notices. As we did not receive any comments on this assumption, we 
retain it here.
    As discussed in our analysis in the interim final rule, there will 
be certain costs that both email and first-class mail notification will 
share. The cost of drafting and preparing the notice will apply to both 
forms. The median hourly wage for the labor category of a healthcare 
practitioner and technical worker in 2011 was approximately $42.96, 
including 50 percent for fringe benefits.\31\ If we assume 30 minutes 
per breach for composing the letter, the cost equals $21.48. We assume 
that it will also take 30 minutes per breach for an administrative 
assistant to prepare the letter in either email or printed formats and 
to document the letter to comply with Sec. Sec.  164.414(a) and 
164.530(j). The median hourly wage for office and administrative 
support staff is $22.53, including 50 percent for benefits. For the 30 
minutes, we estimate $11.27 per breach. The combined labor cost for 
composing and preparing the document is approximately $32.75 per 
breach. Half of this cost will be allocated to the first-class letter 
and the other half to the emails.
---------------------------------------------------------------------------

    \31\ Department of Labor, Occupational Employment Statistics; 
Healthcare Practitioner and Technical Occupations. Available at 
https://www.bls.gov/oes/current/oes_nat.htm.
---------------------------------------------------------------------------

    Although computer costs for sending email will be insignificant, it 
will take staff time to select the email address from the entity's 
mailing list. We assume that an office worker could process and send 
200 emails per hour at a cost of $22.53 per hour. For each mailed 
notice, we assume $0.06 for paper and envelope and $0.45 for a first 
class stamp, totaling $0.51 per letter. We estimate another $22.53 per 
hour to prepare the mailing by hand at a rate of 100 letters per hour.
    Based on our revised estimate of the number of breaches that will 
occur in a year, we can multiply the number of breaches by the cost of 
composing and preparing a notice (19,000 x $32.75) equals $622,250. 
Allocating half the costs to emailing and the same amount to regular 
mail yields $311,125 to each category.
    Splitting our estimate of the number of affected individuals evenly 
between email and regular mail gives us 3,355,000 affected individuals 
for each notice category. As we did in the interim final rule, for 
emails we divide affected individuals by the number of emails processed 
in an hour (200) and multiply the result (16,775 hours) by the hourly 
cost of $22.53, giving us $377,940. To this number we add the $311,125 
giving us an estimated cost for email notices of $689,066.
    We follow the same method for estimating the cost of mailing 
notices using postal mail plus the cost of postage and supplies. 
Dividing 100 letters per hour into 3,355,000 yields 33,550 hours, which 
is then multiplied by $22.53 to reach $755,882 in labor costs to 
prepare the mailing. Adding to that the costs of postage and supplies 
($1,711,050) and the costs of composing and drafting ($311,125) equals 
$2,778,057. Summing the cost of email and postal mail notices equals

[[Page 5673]]

$3,467,122. Table 3 presents the results of our analysis in the order 
they are discussed above.

              Table 3--Cost of E-Mail and First Class Mail to Affected Individuals in 2011 Dollars
----------------------------------------------------------------------------------------------------------------
            (Annual)                           Mail                          Email                    Total
----------------------------------------------------------------------------------------------------------------
Number of breaches..............  9,500........................  9,500........................            19,000
Number of affected individuals    3,355,000....................  3,355,000....................         6,710,000
 or records.
Hours to compose and document     9,500 (1 hr per breach)......  9,500 (1 hr per breach)......            19,000
 notice.
Cost to compose and document      $311,125.....................  $311,125.....................          $622,250
 notice.
Hours to prepare mailing........  33,550.......................  16,775.......................            50,325
Cost to prepare mailing.........  $755,882.....................  $377,940.....................        $1,133,822
Postage and supplies............  $1,711,050...................  N/A..........................        $1,711,050
                                 -------------------------------------------------------------------------------
    Total.......................  $2,778,057...................  $689,066.....................        $3,467,122
----------------------------------------------------------------------------------------------------------------

Cost of Substitute Notice
    In the event that a HIPAA covered entity is not able to contact an 
affected individual through email or postal mail, it must attempt to 
contact the person through some other means. If the number of 
individuals who cannot be reached through the mailings is less than 
ten, the entity may attempt to reach them by some other written means, 
or by telephone.
    In the event that the covered entity is unable to contact 10 or 
more affected individuals through email or postal mail, the rule 
requires the entity to (1) publish a notice in the media (newspaper, 
television, or radio) or post a notice on its Web site, containing the 
same information contained in the mailed notice, and (2) set up a toll-
free number. The toll-free number is to be included in the media notice 
or notice on the Web site.
    Based on the breach notification reports received by the Secretary 
during calendar years 2010 and 2011, we project that approximately 
1,190 breaches affecting 10 or more individuals will require substitute 
notice (including 5% of breaches involving fewer than 500 individuals, 
and all 250 breaches involving 500 or more individuals). While several 
breaches affecting only 1 individual have also required substitute 
notice, as stated in the interim final rule, we believe the costs for 
notifying fewer than 10 individuals through alternative written means 
or by telephone would be very small and as a result we have not 
attempted to estimate those costs.
    The interim final rule estimated that it would cost approximately 
$240 to publish a public notice in a newspaper. Assuming the covered 
entity will publish two notices, the cost is $480. Multiplying this 
amount by the 1,190 estimated breaches yields $571,200. Also, as noted 
in the interim final rule, if a HIPAA covered entity has a Web site, we 
assume there will be no cost to post the notice to the Web site. We 
believe this overestimates the overall cost of publishing a notice, as 
many covered entities will elect to post the public notice only on 
their Web site, and not in a newspaper.
    As outlined in the interim final rule, the cost of setting up a 
toll-free phone number is a straight forward process of contacting any 
one of a number of service providers who offer toll-free service. The 
interim final rule found that the prices for toll-free service range 
from $0.027 per minute for a basic mail box arrangement to $0.07 per 
minute. A major, national phone service company offers toll-free 
service for $15 per month per toll-free number and per minute charge of 
$0.07. There is a one-time charge of $15. As in the interim final rule, 
we use the costs of $15 per month plus $15 activation fee and $0.07 per 
minute.
    Since the regulation requires providers to maintain a toll-free 
number for three months, the monthly charge plus initial fee per breach 
will be $60. To estimate the number of calls to the toll-free number, 
the interim final rule assumed that more individuals than those 
affected by the breach requiring substitute notice would call out of 
concern that their protected health information might have been 
compromised. The interim final rule estimated that a number equal to 
all affected individuals of all breaches would call the toll-free 
number. Based on our experience to date, and given that many 
individuals involved in breaches requiring substitute notice will 
receive regular notice, we now assume that less than 10 percent of 
individuals affected by breaches requiring substitute notice will call 
the toll-free line. Therefore, as we anticipate 6,605,500 total 
individuals will be affected by breaches requiring substitute 
notice,\32\ we assume that no more than 10 percent, or 660,550, will 
call the toll-free number to determine if they are affected by the 
breach. We note that while this revision significantly reduces the 
overall cost to covered entities for providing substitute notice in 
situations in which there is insufficient or out-of-date contact 
information for 10 or more individuals, we believe this estimate is 
much more appropriate based on the information we have received from 
covered entities thus far.
---------------------------------------------------------------------------

    \32\ This number includes all individuals affected by breaches 
involving 500 or more individuals (6,600,000) and 5 percent of 
individuals affected by breaches involving less than 500 individuals 
(5,500).
---------------------------------------------------------------------------

    Using this number and assuming that a call averages five minutes at 
$0.07 per minute, we estimate the total direct calling costs to equal 
$231,193. Added to this is $345,000 that represents the monthly fee per 
breach (1,190 breaches) for three months plus the one-time fee 
(totaling $60 per breach). This brings the total cost of setting up and 
maintaining toll-free lines to $576,193.
    To this cost, we must also include the office staff time to answer 
the incoming calls at $22.53 per hour. Based on an average of five 
minutes per call, a staff person could handle 12 calls per hour. 
Dividing 12 into 660,550 equals approximately 55,046 hours and then 
multiplied by $22.53 equals $1,240,186. Summing all cost elements 
yields a total cost of $1,816,379.
    To the degree that entities already maintain toll-free phone lines, 
our estimate overstates the costs of setting up a toll-free line as 
required under the rule. Table 4 presents our cost analysis for the 
toll-free line.

[[Page 5674]]



              Table 4--Annual Cost for Setting Up a Toll-Free Line for Three Months in 2011 Dollars
----------------------------------------------------------------------------------------------------------------
                                                     Number of
                                                     breaches        Number of
                      Costs                          affecting    breaches 500 +     Number of         Total
                                                  fewer than 500       (250)           calls
                                                      (5,500)
----------------------------------------------------------------------------------------------------------------
Monthly Charges for 3 months + 1-time Charge            $330,000         $15,000             N/A        $345,000
 ($60/breach)...................................
Direct Calling Charges @ $.07/min x 5 minutes...  ..............  ..............         660,550        $231,193
Labor cost @ $22.53/hr x 5 min per call.........  ..............  ..............         660,550      $1,240,186
Cost to individuals @ $24.86/hr x 7.5 min per     ..............  ..............         660,550      $2,052,665
 call...........................................
                                                 ---------------------------------------------------------------
    Total.......................................  ..............  ..............  ..............      $3,869,044
----------------------------------------------------------------------------------------------------------------

    As in the interim final rule, we have also imputed a cost to the 
time individuals will spend calling the toll-free number. In estimating 
the time involved, we assumed that a person will spend five minutes per 
call. However, the person may not get through the first time and thus 
may have to call back a second time which could add another 5 minutes. 
Taking the average between 5 and 10 minutes, we used an average time of 
7.5 minutes per caller.
    For purposes of imputing cost to an individual's time, we took the 
median compensation amount from the Bureau of Labor Statistics of 
$24.86 \33\ for all occupations. Dividing 60 by 7.5 minutes yields 8 
calls per hour. Dividing the number of calls per hour into 660,550 
calls and then multiplying by $24.86, gives us a cost of $2,052,665.
---------------------------------------------------------------------------

    \33\ Department of Labor, Occupational Employment Statistics. 
https://www.bls.gov/oes/current/oes_nat.htm.
---------------------------------------------------------------------------

Cost of Breaches Involving More Than 500 Individuals
    If a covered entity experiences a breach of protected health 
information affecting more than 500 individuals of a State or 
jurisdiction, Sec.  164.406 of the rule requires the entity to notify 
the media in the jurisdiction or State in which the individuals reside. 
In addition, Sec.  164.408 of the rule requires the entity to notify 
the Secretary contemporaneously with notice to affected individuals in 
cases where 500 or more individuals are affected by a breach.
    As stated in the interim final rule, we anticipate that a covered 
entity will issue a press release when it must notify the media under 
Sec.  164.406. The tasks involved in issuing the press release will be 
the drafting of the statement and clearing it through the entity. As 
discussed in the interim final rule, we assume that drafting a one-page 
statement will contain essentially the same information provided in the 
notice to affected individuals and will take 1 hour of an equivalent to 
a GS-12 Federal employee, earning $29 per hour. Adding 50 percent to 
account for benefits equals $43.50. Approval of the release involves 
reading the document. We expect this activity to take 15 minutes. The 
median hourly rate for a public relations manager is approximately 
$44.86 in 2011.\34\ Adding 50 percent for benefits equals $67.29, so 
one quarter of an hour equals $16.82 for approving the release. The 
total cost of the release equals $61.68, and multiplying this amount by 
the number of breaches affecting more than 500 individuals (250) equals 
$15,420. This amount is lower than our previous estimate because we 
have adopted the more customary and realistic approach of adding 50 
percent to wages for benefits, rather than doubling standard wage rates 
to account for benefits. It should be noted that even this amount may 
overstate the actual costs of issuing a notice to the media.
---------------------------------------------------------------------------

    \34\ https://www.bls.gov/oes/current/oes_nat.htm.
---------------------------------------------------------------------------

    The report to the Secretary that must be sent contemporaneously 
with the sending of the notices to the affected individuals will 
contain essentially the same information as the notice sent to the 
affected individuals. As stated in the interim final rule, we 
anticipate the time and cost to prepare the report will be the same as 
that required for issuing a notice to the media. The cost for reporting 
to the Secretary the 250 breaches affecting 500 or more individuals is 
$15,420.
Cost of Investigating a Breach
    As a prerequisite to issuing a notice to individuals, to the media, 
and to the Secretary, the covered entity will need to conduct an 
investigation to determine the nature and cause of the breach. We 
estimate that the 95 percent of breaches in the under 500 category that 
affect fewer than 10 individuals will require 4 hours of investigation. 
The other 5 percent of under 500 breaches, which affect between 10 and 
499 individuals, may require up to 8 hours to investigate. At an office 
manager's \35\ time at $67 per hour ($44.65 median wage plus 50 percent 
for benefits) multiplied by 4 and 8 hours, results in per breach costs 
of approximately $268 and $536, respectively. Multiplying $268 by the 
number of breaches affecting fewer than 10 individuals (17,800 
breaches) results in investigation costs of $4,773,616. We then 
multiply $536 by the number of breaches affecting 10 to 499 individuals 
(940 breaches), which produces investigation costs of $503,840. Adding 
the totals for the two groups results in investigation costs of 
$5,277,456 per year for breaches affecting less than 500 individuals. 
This estimate includes the time required to produce the documentation 
required by Sec.  164.414(a). We note that this estimate is 
significantly higher than that in the interim final rule; however, this 
is due entirely to the revised estimate that there will be 
approximately 18,750 breaches affecting fewer than 500 individuals per 
year.
---------------------------------------------------------------------------

    \35\ See www.bls.gov/oes/current/oes_nat.htm for All Management 
Occupations.
---------------------------------------------------------------------------

    As stated in the interim final rule, for breaches involving 500 or 
more individuals, the breach investigation may take up to 100 hours to 
complete; however, we assume that the average investigation will take 
only 50 hours. At an office manager's time of $67 per hour multiplied 
by 50 hours, this cost equals $3,350 per breach. Multiplying this by 
the number of breaches (250) yields $837,500.
Cost of Submitting the Annual Breach Summary to HHS
    Under Sec.  164.408, covered entities must notify the Secretary of 
all breaches; however, covered entities reporting breaches affecting 
fewer than 500 individuals may report these breaches to the Secretary 
annually. Since the material for the submission has already been 
gathered and organized for the issuance of the notices to the affected 
individuals, we expect that notifying the Department will require at

[[Page 5675]]

most an hour of office staff time once per year. At $22.53 per hour 
multiplied by the total number of breaches (18,750) affecting fewer 
than 500 individuals, this cost equals $422,438.
2. Notifying Individuals of Their New Privacy Rights
    Covered entities must provide individuals with NPPs that detail how 
the covered entity may use and disclose protected health information 
and explain individuals' rights with respect to their own health 
information. Because of changes to the HIPAA Rules as a result of the 
HITECH Act and GINA, the final rule requires covered entities to modify 
their NPPs and distribute them to individuals to advise them of the 
following: (1) For health plans that underwrite, the prohibition 
against health plans using or disclosing PHI that is genetic 
information about an individual for underwriting purposes; (2) the 
prohibition on the sale of protected health information without the 
express written authorization of the individual, as well as the other 
uses and disclosures for which the rule expressly requires the 
individual's authorization (i.e., marketing and disclosure of 
psychotherapy notes, as appropriate); (3) the duty of a covered entity 
to notify affected individuals of a breach of unsecured protected 
health information; (4) for entities that have stated their intent to 
fundraise in their notice of privacy practices, the individual's right 
to opt out of receiving fundraising communications from the covered 
entity; and (5) the right of the individual to restrict disclosures of 
protected health information to a health plan with respect to health 
care for which the individual has paid out of pocket in full.
    For providers, the costs related to the NPP consist of developing 
and drafting the revised NPP, and, as discussed below, the potential to 
incur out-of-cycle printing costs for the revised notice. There are no 
new costs attributable to the distribution of the revised notice as 
providers have an ongoing obligation to hand out the NPPs when first-
time patients come for their appointments. We estimate that drafting 
the updated NPPs will require approximately one-third of an hour of 
professional, legal time at a cost of about $28.\36\ The total cost for 
attorneys for the approximately 697,000 \37\ health care providers in 
the U.S. is, therefore, expected to be approximately $20 million. 
Printing the NPPs involves production and supplies at a cost of $0.10 
per notice. Based on our prior estimates, health care providers are 
currently required to print and provide the NPP to approximately 613 
million new patients annually. We assume that most health care 
providers will spread the printing of their notices throughout the 
year, producing copies on a quarterly, monthly, or even more frequent 
schedule. Further, providers will have 8 months from the publication of 
the final rule before they will need to produce the revised NPPs, and, 
therefore, can use that time to adjust their inventory and printing 
schedule to transition to the revised notice without any additional 
expense. Thus, assuming a worst case scenario in which all providers 
would need to replace at most 4 months of old inventory with the 
revised notice, the need for off-schedule printing of the revised 
notice for this 4 month period would be attributed to this provision. 
We estimate, therefore, that providers will print not more than 204 
million revised NPPs over and above their existing printing obligations 
(4/12 x 613 million = 204 million). Printing costs for 204 million NPPs 
will be $20.4 million (204 million x $0.10 = $20.4 million). Therefore, 
the total cost for providers is approximately $40.4 million ($20 
million + $20.4 million = $40.4 million).
---------------------------------------------------------------------------

    \36\ See https://www.bls.gov/oes/current/naics3_541000.htm#23-0000 for lawyers. Note that we generally calculate labor costs based 
on the median hourly rate, which for lawyers is $56.21 per hour. We 
add 50 percent to account for fringe benefits, resulting in an 
estimated hourly cost of $84.32.
    \37\ We identified 698,238 entities that must prepare and 
deliver NPPs that are shown in Table 1 above. This includes 696,758 
HIPAA covered entities that are health care providers, including 
hospitals, nursing facilities, doctor offices, outpatient care 
centers, medical diagnostic, imaging service, home health service 
and other ambulatory care service covered entities, medical 
equipment suppliers, and pharmacies. For the purposes of our 
calculation, we have rounded this number to 697,000. Table 1 also 
includes 730 health insurance carriers and 750 third party 
administrators working on behalf of covered health plans. The cost 
estimates for these entities are addressed later.
---------------------------------------------------------------------------

    For health plans, the costs related to the NPP consist of 
developing and drafting the revised NPP, and, for certain health plans, 
the costs of printing and mailing the notice out-of-cycle because the 
revision is a material change. See Sec.  164.520(c)(1)(v)(A). With the 
exception of a few large health plans, most health plans do not self-
administer their plans. Most plans are either health insurance issuers 
(approximately 730) or utilize third party administrators that act on 
their behalf in the capacity of business associates. We identified 
approximately 750 third party administrators acting as business 
associates for ERISA plans. We have revised our earlier estimate of 
3,500 third party administrators after learning that the majority of 
these entities act as welfare administrators and do not administer 
health plans. In addition, some public non-Federal health plans may use 
third party administrators. Almost all of the public and ERISA plans, 
we believe, employ third party administrators to administer their 
health plans. While the third party administrators will bear the direct 
costs of issuing the revised NPPs, the costs will generally be passed 
on to the plans that contract with them. Those plans that self-
administer their own plans will also incur the costs of issuing the 
revised NPPs. We do not know how many plans administer as well as 
sponsor health plans and invited comments on the number of self-
administered plans. As we did not receive comments on this issue, we 
assume that there are not enough self-administered plans to have an 
effect on these estimates.
    Each of the approximately 1,500 health insurance issuers and health 
plan administrators will experience the same kinds of costs as we 
estimated for providers for drafting ($28 per entity) and printing 
($0.10 per notice) the NPPs. However, health insurers and plan 
administrators will have to mail the NPPs to policy holders. We 
recognize that, under the existing requirement to send new NPPs in a 
separate mailing to all policy holders, the costs of distributing new 
NPPs, including clerical time and in some cases, postage, constituted 
the majority of the overall costs of the rule to covered entities. 
However, in the proposed rule, we requested comments on alternative 
ways to inform individuals of material changes to their rights and 
protections that would be less burdensome and costly. Based on the 
comments and consistent with E.O. 13563, in this final rule, we have 
adopted an alternative to the requirement to send the new NPP to all 
policy holders within 60 days. After consideration, we decided to 
permit health plans and third party administrators working for health 
plans to include the revised NPP in their next annual mailing, rather 
than within 60 days of the material change, if they have a Web site 
with an NPP. See Sec.  164.520(c)(1)(v)(A). We anticipate that most, if 
not all, affected entities will take advantage of this option and will 
not send the NPP in a separate mailing. As such, we expect that the 
vast majority of health insurers will not incur any out-of-cycle NPP 
dissemination costs.
    Nonetheless, to account for any costs that might be incurred by a 
small

[[Page 5676]]

minority of health insurers to distribute the revised NPPs in a 
separate mailing, we have calculated the costs to these entities of 
doing so. We describe our methodology in the following paragraphs, 
beginning with an estimated total number of NPP recipients. We then 
calculate the costs of printing and sending the revised NPP by separate 
mailings to all recipients and estimate that no more than 10 percent of 
these costs will actually be incurred.
    Because the Privacy Rule requires that only the named insured or 
policy holder is notified of changes to the health plans' privacy 
practices even if that policy also covers dependents, we expect that 
only policy holders will receive the revised NPPs mandated by this 
rule. This assumption is consistent with the practices of public 
programs, such as Medicare, which has a policy of mailing one notice or 
a set of program materials to a household of four or fewer 
beneficiaries at the same address. As a result, although there are 50.7 
million individual Medicare beneficiaries, the program only sends out 
approximately 36 million pieces of mail per mailing.
    Actuarial Research Corporation (ARC), our consultant, estimated the 
number of policy holders for all classes of insurance products to be 
approximately 183.6 million, including all public programs. The data 
comes from the Medical Expenditure Panel Survey from 2004-2006 
projected to 2010. ARC estimated 112.6 million private sector policy 
holders and 71.0 million public ``policy holders.'' The total, 
including more recent Medicare data, is 188.3 million persons (which 
results in roughly a split of 60 percent private policy holders and 40 
percent public ``policy holders''), whom we expect to receive NPPs from 
their plans. The estimates do not capture policy holders who are in 
hospitals or nursing homes at the time of the survey, or individuals 
who may have been insured under more than one plan in a year, for 
example, because their job status changed, they have supplemental 
policies, or they have more than one employer, creating duplicate 
coverage. Therefore, ARC recommended we use 200 million for the number 
of NPPs that will actually be sent.
    We estimate the costs of drafting, printing, and distributing the 
NPP to all potential recipients to be the following. First, drafting 
the NPP is estimated to require one-third hour of legal services at a 
cost of $28 x 1,500 insurance plans and insurance administrative 
entities, which equals $42,000. Second, we need to calculate printing 
and distribution costs for all potential recipients assuming the 
revised notice would be sent in a separate mailing. As with providers, 
we estimate the cost of printing the NPP, which includes the cost of 
paper and actual printing, to be $0.10 per notice. Therefore, we 
estimate the cost of printing 200 million notices for mail distribution 
at $20 million. Further, we estimate the cost of distributing the NPPs, 
including clerical time and postage in the same manner as these costs 
were estimated for the Breach Notification for Unsecured Protected 
Health Information Regulations. Thus, we assume that an office worker 
could process and send 100 mailings per hour at a cost of $22.53 per 
hour, plus a postage cost of $0.45 per mailing. If notices were 
required to be mailed to the 200 million beneficiaries in the sixty-day 
timeframe, the distribution costs would be $135 million (200 million/
100 per hour x $22.53 = $45 million + $90 million (200 million x 
$0.45)). Total printing and distribution cost would have been $155 
million, if all policy holders received separate NPP mailings. Third, 
as discussed above, we expect that nearly all plans and third party 
administrators will be able to avoid having to do a separate mailing of 
the revised notice under the new distribution provisions in this final 
rule, and that only 10 percent of these plans will incur the printing 
and distribution costs. Using the above estimates, we assume for this 
purpose that 20 million notices (200 million total notices x 10%) will 
be need to be printed and sent through a separate mailing, at a total 
cost of $15.5 million ($2 million printing + $13.5 million mailing). 
Therefore, the total cost to all plans for drafting, printing, and 
distributing the NPP is approximately $15.5 million. We note that even 
this total may be an overestimation of the costs because many insurers 
may use bulk mailing rates to distribute their NPPs which would reduce 
their mailing costs.
    The total estimated cost for both providers and health plans to 
notify individuals and policy holders of changes in their privacy 
rights is approximately $55.9 million in the first year following 
implementation of the rule.
    A number of commenters expressed general concern regarding the 
costs of printing and distributing new NPPs but did not provide 
estimates of the costs they anticipated or question our calculations. 
Two health plan commenters estimated that the costs of printing and 
mailing NPPs to their members could reach up to $100,000. However, they 
did not provide information about the facts and assumptions underlying 
their analyses, including the number of beneficiaries or mailings they 
anticipated, so we were unable to evaluate their estimates. We have 
addressed some of this concern by permitting health plans that maintain 
a notice on their web sites to include their NPPs in their annual 
mailings, rather than separately mailing the NPPs within 60 days of the 
material changes.
    Table 5 below presents our analysis of costs to the providers, 
insurers, and third party administrators that are required to issue 
NPPs under the rule.\38\
---------------------------------------------------------------------------

    \38\ Health care clearinghouses function almost exclusively as 
business associates with respect to the protected health information 
they maintain and process, and therefore have no NPP requirements.

                      TABLE 5--Summary of Compliance Cost for Notices of Privacy Practices
----------------------------------------------------------------------------------------------------------------
                                                             Health insurers & third
         Cost elements                   Providers             party administrators         Total (approx.)
----------------------------------------------------------------------------------------------------------------
Drafting NPPs.................  $20 million...............  $42,000..................  $20 million.
Printing NPPs.................  $20.4 million.............  $2 million...............  $22.4 million.
Mailing NPPs..................  N/A.......................  $13.5 million............  $13.5 million.
                               ---------------------------------------------------------------------------------
    Total (approx.)...........  $40.4 million.............  $15.5 million............  $55.9 million.
----------------------------------------------------------------------------------------------------------------


[[Page 5677]]

3. Business Associates and Covered Entities and Their Contractual 
Relationships
    The rule extends liability for failure to comply with certain 
provisions of the Privacy and Security Rules directly to business 
associates and business associate subcontractors. Prior to this rule 
and HITECH, these obligations applied to business associates and their 
subcontractors indirectly through Sec. Sec.  164.504(e) and 164.314(a), 
which require that covered entities by contract require business 
associates to limit uses and disclosures and implement Security Rule-
like safeguards.
    This final rule implements Section 13401 of HITECH Act, which makes 
business associates directly liable for compliance with many of the 
same standards and implementation specifications, and applies the same 
penalties to business associates that apply to covered entities, under 
the Security Rule. Additionally, in accord with Section 13404 of the 
HITECH Act, the rule requires business associates to comply with many 
of the same requirements, and applies the same penalties to business 
associates that apply to covered entities, under the Privacy Rule. 
Business associates must also obtain satisfactory assurances in the 
form of a business associate agreement from subcontractors that the 
subcontractors will safeguard any protected health information in their 
possession. Finally, business associates must furnish any information 
the Secretary requires to investigate whether the business associate is 
in compliance with the regulations.
    In the proposed rule, we assumed that business associates' 
compliance with their contracts range from the minimal compliance to 
avoid contract termination to being fully compliant. Further, we 
assumed that business associates in compliance with their contracts 
would have already designated personnel to be responsible for 
formulating the organization's privacy and security policies, performed 
a risk analysis, and invested in hardware and software to prevent and 
monitor for internal and external breaches of protected health 
information.
    We also stated in the proposed rule that while business associates 
were previously required to comply with the HIPAA Rules according to 
the terms of their contracts with covered entities, and we expected 
that most business associates did so already, the risk of criminal and/
or civil monetary penalties may spur some business associates to 
increase their efforts to comply with the Rules. We explained that we 
have no information on the degree of contract enforcement and 
compliance among business associates, and lack information regarding 
the size or type of business associates that contract with covered 
entities. We have only rough estimates as to the overall number of 
business associates, which range from approximately one million to two 
million depending on the number of business associates that serve 
multiple covered entities.
    While we did not have specific information in this regard, we 
assumed that some business associates and subcontractors already comply 
with existing privacy and security standards in accordance with their 
indirect and contractual obligations. For them, the proposed rule would 
impose only a limited burden. For other business associates, depending 
on the current level of compliance, the proposed rule could impose 
significant burdens. We requested comments regarding the amount of 
burden and the number of affected business associates.
    Several commenters stated that requiring business associates to 
undertake compliance with the rule in the same way as covered entities 
is excessive and burdensome, especially because in some cases business 
associates do not have the same type of relationship with individuals. 
Several commenters pointed to the burden on covered entities and 
business associates to renegotiate business associate agreements and 
train staff, and many specifically mentioned that compliance with the 
Security Rule is particularly costly. One commenter stated that it was 
a business associate party to ``tens of thousands'' of business 
associate contracts, with a significant cost to bring all into 
compliance.
    We continue to expect that most business associates and 
subcontractors have made and continue to make a good-faith effort to 
follow the terms of their contracts. The burden of the rule on business 
associates and subcontractors depends on the terms of the contracts 
between covered entities and business associates and between the 
business associates and subcontractors, and the degree to which 
business associates and subcontractors established privacy policies and 
adopted security measures that comport with the HIPAA Rules. For 
business associates and subcontractors that have already taken HIPAA-
compliant measures to protect the privacy and security of the protected 
health information in their possession, as required by their existing 
contracts, the rule imposes limited burden. We estimate the costs to 
other business associates later in this section.
    A few commenters cited concerns about unfair competition for 
smaller business associate entities that they believe will not be able 
to compete with larger business associate entities, especially with 
regard to contract negotiations including indemnification and other 
risk allocation issues.
    We understand that many small business associates are concerned 
about the allocation of risk and indemnification in conjunction with 
their business associate contracts. However, as we discuss in section 
IV D above, as with any contracting relationship, business associates 
and covered entities may include other provisions that dictate and 
describe their business relationship. While these may or may not 
include indemnification clauses or other risk-shifting provisions, 
these contractual provisions and relationships are outside the 
governance of the HIPAA Rules.
    Because we understand that covered entities and business associates 
remain concerned with the cost to bring their business associate 
agreements into compliance with the final rule, we allow contracts to 
be phased in over one year from the compliance date or 20 months from 
the publication date of the final rule, and we expect and encourage 
covered entities and business associates to incorporate the costs of 
modifying contracts into the normal renegotiation of contracts as the 
contracts expire. As we did not receive comments to the contrary, we 
believe that most contracts will be renegotiated over the phase-in 
period. In addition, the Department has issued on its web site revised 
sample business associate provisions, which should lessen the costs 
associated with contract modifications.
    As we believe covered entities generally are operating under HIPAA 
compliant contracts with their business associates, the transition 
period and availability of sample contract provisions should make it 
possible for these entities to incorporate any minor contract 
modifications into normal contract renegotiations without any 
appreciable added costs. We continue to believe that all covered 
entities have established business associate agreements with their 
business associates that are consistent with the requirements of the 
HIPAA Rules, as covered entities have been subject to direct liability 
under the Rules since their inception and have had more than half a 
dozen years to make their contracts compliant. However, to the extent 
that some contracts between covered entities and business associates

[[Page 5678]]

are not currently in full compliance with the business associate 
agreement provisions, these entities may experience limited costs to 
revise their contracts.
    Although we are less certain about the current state of business 
associate-subcontractor relationships, we believe that most business 
associates have made a good faith attempt to include the appropriate 
contractual requirements. Still, we anticipate that some small business 
associates, now that they are subject to direct liability under the 
rules, might establish or significantly modify their subcontracts to 
come into compliance for the first time. Such business associates would 
not be eligible for the extended transition period and, as a result, 
would incur the costs of creating new contracts or renegotiating 
contracts out of cycle. In the Final Privacy Rule published in 2002, we 
estimated that entities would need between one and two hours to develop 
and tailor a business associate agreement to their particular needs. 
See 67 FR 53182, 53257. Taking the average of the lower and upper 
estimates provided in the earlier rulemaking, we estimate that 
developing and tailoring contract language normally would take 
approximately 90 minutes of professional legal services at $84.32 per 
hour.\39\ However, as in the 2002 Final Privacy Rule (67 FR 53257), we 
estimate that providing model language will reduce the time required to 
develop contract language by at least one third. Thus, we estimate that 
each new or significantly modified contract between a business 
associate and its subcontractors will require, at most, one hour of a 
lawyer's time at a cost of $84.32.
---------------------------------------------------------------------------

    \39\ See https://www.bls.gov/oes/current/naics3_541000.htm#23-0000 for lawyers. Note that we generally calculate labor costs based 
on the median hourly rate, which for lawyers is $56.21 per hour. We 
add 50 percent to account for fringe benefits, resulting in an 
estimated hourly cost of $84.32.
---------------------------------------------------------------------------

    We believe that no more than 25 percent of 1-2 million business 
associates, or 250,000-500,000 entities, would not have already made 
good faith efforts to achieve compliance and will need to create or 
significantly modify subcontracts, resulting in total costs of between 
$21 million and $42 million.
    We expect that each business associate's lawyer will draw up one 
standard contract to use for all of its subcontracts. We do not 
attribute contract revision costs to subcontractors because the 
required contract provisions are not negotiable and subcontractors will 
need to only sign the agreement. We note that our estimated cost likely 
is an overestimate because the group of small business associates that 
may be less likely than others to have compliant contracts in place 
with subcontractors are, because of their size, also less likely to 
have any subcontractors at all.
    Finally, in response to the commenters concerned with the cost and 
burden on business associates to come into full compliance with the 
Security Rule, we have taken another look at the underlying assumptions 
in the proposal. We continue to believe that business associates have 
engaged in privacy practices in compliance with their contractual 
obligations to use and disclose protected health information as limited 
by the Privacy Rule and their particular contracts with covered 
entities. Therefore, as we have stated above, we do not believe that 
the extension of liability for compliance with Privacy Rule 
requirements as identified in this rulemaking will impose any new costs 
or burdens.
    With regard to the Security Rule, which was of particular concern 
to commenters as to the compliance costs on business associates, we 
also continue to believe that business associates, in providing their 
adequate assurances to safeguard electronic protected health 
information through their business associate contracts, have 
implemented security protections that meet the standards and required 
implementation specifications in the Security Rule. Further, we 
continue to believe that business associates have made the necessary 
investment in hardware and software to secure the electronic protected 
health information as part of the investment in the hardware and 
software needed for their management and processing of this information 
to perform their business associate functions and comply with the 
contract requirements at Sec.  164.314(a). However, based on the 
comments, we now believe that some business associates, particularly 
smaller business associates that may have access to electronic 
protected health information for limited purposes, may not have engaged 
in certain of the formal administrative safeguards. For example, these 
entities may not have performed a risk analysis, established a risk 
management program, or designated a security official, and may not have 
written policies and procedures, conducted employee training, or 
documented compliance as required under Sec. Sec.  164.308 and 164.316 
of the Security Rule.
    We do not have information on what percentage of business 
associates may have to engage in efforts to comply with some of the 
administrative safeguard standards, including documenting their 
policies and procedures and training their employees on the policies 
and procedures, nor did the comments on the impact statement offer any 
specific information to provide an estimate. We assume that up to 80 
percent of the 1-2 million business associates, or between 800,000 and 
1.6 million business associates, may handle electronic protected health 
information and thus may have to document their existing security 
protocols. Further, of these business associates, we assume that no 
more than 25 percent are likely to incur some cost to document their 
administrative safeguards and their policies and procedures as now 
required by statute and these regulations. We believe that our original 
assumption of compliance with all Security Rule requirements remains 
sound for the rest of the business associates, and we received no 
substantive comments to the contrary.
    The costs of coming into full compliance with the administrative 
safeguard procedures, such as performance of a risk analysis and 
development of a risk management plan, will vary depending on the size 
and complexity of the business associate, the scope of their duties for 
the covered entity and the protected health information they must 
secure, and the degree to which their prior documentation of their 
security protocols falls short of compliance with the standards in the 
Security Rule. In the original Security Rule, we estimated that covered 
entities would need approximately 16 hours to document their policies 
and procedures. See 68 FR 8334, 8368. As these policies and procedures 
are the reflection of the risk management plan, which in turn is based 
on the risk analysis, we believe that this estimate would be inclusive 
of that time. We believe it will take business associates on average 
much less time to document their security related policies and 
procedures, because they have likely already engaged in most of the 
analysis associated with the adoption of security protocols, even if 
they may not have formally reduced all such protocols to writing, and 
because the scope of their responsibilities will generally be much more 
constrained than that of the covered entity with whom they have 
contracted. In addition, while covered entities must perform these 
tasks with respect to their entire business, generally only a small 
part of any business associate is involved with electronic protected 
health information.
    Extrapolating from our estimate in the original Security Rule that 
entities would require approximately 16 hours to implement and document 
Security

[[Page 5679]]

Rule compliance measures for the first time, and applying the 
assumption that most of these measures already are in place, we 
estimate that these business associates will need only between 2 and 5 
hours to formalize or update their applicable administrative 
safeguards. We would cost the time needed to come into compliance at 
$56.61/hour.\40\ According to these assumptions, the range of costs 
that any one business associate would incur to comply with the new 
statutory and regulatory requirements would be between $113 and $283, 
as first year, one-time costs. Assuming that businesses associates with 
access to electronic protected health information represent 80 percent 
of 1 to 2 million total business associates (or 800,000 to 1.6 million 
total), the aggregated costs for all business associates are estimated 
to be between approximately $22.6 million and $113 million. (25 percent 
of 800,000 business associates = 200,000; 200,000 x $113 (2 hr @ 
$56.61/hr) = $22.6 million. 25 percent of 1.6 million business 
associates = 400,000; 400,000 x $283 (5 hr @ $56.61/hr) = $113 
million.) These costs represent one time first year costs for full 
compliance by business associates with the Security Rule requirements.
---------------------------------------------------------------------------

    \40\ We have used the median wage rate described by the U.S. 
Bureau of Labor Statistics in its 2011 National Compensation Survey 
for the category of Management Analysts (including responsibilities 
for designing systems and procedures), which is approximately 
$37.74/hr. See https://www.bls.gov/oes/current/oes_nat.htm . To this 
wage rate we have added 50 percent for benefits, which results in a 
total cost of $56.61/hr.
---------------------------------------------------------------------------

    Table 6 below presents the range of our estimates of the costs to 
business associates of achieving compliance with the rules.

                           TABLE 6--Business Associate Cost Estimates in 2011 Dollars
----------------------------------------------------------------------------------------------------------------
                                                                            BAA between business associates and
           Data element            Security rule compliance documentation              subcontractors
----------------------------------------------------------------------------------------------------------------
Estimated number of affected       200,000-400,000 BAs...................  250,000-500,000 BAs.
 entities.
Hours needed to complete           2-5 hours per BA......................  1 hour per BA.
 compliance activities.
Cost per hour....................  $56.61................................  $84.32.
Total cost.......................  $22.6 million-$113 million............  $21 million-$42 million.
----------------------------------------------------------------------------------------------------------------

Response to Other Public Comments
    Comment: One commenter suggested that business associates will be 
reluctant to contract with covered entities due to perceived increased 
risks associated with such contracts, and covered entities will be 
forced to hire more staff at additional costs.
    Response: While the HIPAA Rules now impose direct liability with 
regard to compliance, business associates were previously contractually 
liable for compliance with these provisions. Further, whether a covered 
entity uses workforce members or business associates to perform its 
operations remains a decision for the covered entity. As this commenter 
did not provide specific information about his concerns, we cannot 
quantify the costs associated with this comment, nor do we have a basis 
for concluding that business associates will refuse to contract with 
covered entities as a result of this rule.
    Comment: One commenter suggested that requiring business associate 
agreements will increase the costs of litigation.
    Response: As business associate agreements were required under the 
HIPAA Rules previously, and as the commenter did not include specific 
information about what costs he believes will increase, we do not 
believe such a requirement will increase litigation generally.
4. Qualitative Analysis of Unquantified Costs
a. Authorization for Uses and Disclosures of Protected Health 
Information for Marketing and Sale of Protected Health Information
    The final rule modifies the definition of ``marketing'' to 
encompass treatment and health care operations communications to 
individuals about health-related products or services if the covered 
entity receives financial remuneration in exchange for making the 
communication from or on behalf of the third party whose product or 
service is being described. A covered entity must obtain an 
individual's written authorization prior to sending marketing 
communications to the individual.
    In the proposed rule, we requested comment on the extent to which 
covered entities currently receive financial remuneration from third 
parties in exchange for sending information to individuals about the 
third parties' health-related products or services. In general, 
commenters did not indicate that complying with the final rule would be 
administratively burdensome, but some commenters expressed a general 
concern over the potential loss of revenue given the new restrictions 
on receiving financial remuneration from a third party to send health-
related communications to an individual. These comments appear to 
indicate that most covered entities would not attempt to obtain 
authorizations for the now prohibited communications but rather would 
forgo making them altogether. We acknowledge the potential for some 
lost revenue due to these modifications in cases where covered entities 
are currently receiving financial remuneration from third parties to 
send health-related communications to individuals. However, as we do 
not know to what extent covered entities today currently operate in 
this manner, and commenters did not include specific information in 
this regard, we do not have data that could inform quantifying such 
loss.
    The final rule also requires an individual's authorization before a 
covered entity may disclose protected health information in exchange 
for remuneration (i.e., ``sell'' protected health information), even if 
the disclosure is for an otherwise permitted disclosure under the 
Privacy Rule. The final rule includes several exceptions to this 
authorization requirement. In the proposed rule, we stated that on its 
face, this new prohibition would appear to increase the burden to 
covered entities by requiring them to obtain authorizations in 
situations in which no authorization is currently required. However, we 
believed such a scenario to be unlikely. We believed most individuals 
would not authorize disclosures of their protected health information 
when they were informed the covered entity would be remunerated for the 
disclosure. Thus, we believed covered entities would simply discontinue 
making such disclosures as it would not be

[[Page 5680]]

worthwhile for covered entities to continue to attempt to obtain such 
authorizations. We requested comment on these assumptions.
    As noted above, the requirement to obtain authorization to receive 
remuneration to make a disclosure of protected health information 
contains several exceptions. In the proposed rule, we expressed our 
belief that covered entities would not incur additional costs to 
continue making most of the excepted disclosures as such exceptions 
were not constrained or limited in any way and thus, would not change 
the status quo. However, we recognized that the exception for research 
disclosures may impose additional burden on researchers as it was, 
consistent with the statute, a conditional exception. Covered entities 
would be able to disclose protected health information under the 
research exception only to the extent any remuneration received in 
exchange for the information did not exceed the cost to produce and 
transmit the information. Thus, we recognized that researchers who 
purchase data from covered entities may now incur additional costs as a 
result of the final rule, in order to obtain newly required 
authorizations, if they are currently paying a covered entity more than 
the cost to produce and transmit the protected health information 
(e.g., an incentive payment to produce the data) and the covered entity 
is not willing to accept only the costs to prepare and transmit the 
data. It was also recognized that some research may be jeopardized to 
the extent that authorizations for the entity to receive these 
incentive payments could not be obtained from subjects. On the other 
hand, to the extent covered entities agreed to receive only the costs 
to prepare and transmit the data, these entities would experience a 
loss of revenue while researchers would experience a corresponding 
decrease in costs, and current disclosures for research purposes could 
continue without authorization. While we acknowledged the potential 
costs under this provision, we stated that we have no information on 
the amounts currently paid to covered entities by researchers for 
protected health information, and thus, had no way to estimate the 
impact of the provision. We solicited comment in this area.
    Overall, commenters did not indicate that obtaining authorization 
prior to disclosing protected health information in exchange for 
remuneration would result in an increased burden or cost for the 
covered entity. However, one commenter did estimate that obtaining 
additional authorizations may cost approximately $22 to $28, per 
patient. Some commenters indicated it may be burdensome to determine if 
remuneration was in fact received by the entity.
    The comments on this provision did not alter our belief that, in 
general, covered entities would discontinue making disclosures in 
exchange for remuneration that require the individual's authorization, 
given the unlikelihood most individuals would agree to authorize such 
disclosures. Further, there are a number of exceptions to the general 
prohibition that allow a covered entity to continue to operate ``status 
quo'' with respect to a number of types of disclosures, even if the 
covered entity receives remuneration. In response to the comments, we 
acknowledge that it may be difficult to determine whether remuneration 
has been received by a covered entity, particularly since the 
prohibition encompasses both direct and indirect (i.e., non-financial) 
remuneration. We expect to issue future guidance on this topic to 
assist entities in complying.
    With respect to the amounts currently paid to covered entities by 
researchers, some commenters indicated as a general concern that 
limiting remuneration received by covered entities from researchers may 
provide a disincentive for covered entities to continue assisting 
researchers in their efforts. However, commenters did not quantify what 
they are paying covered entities above the costs to prepare and 
transmit the data, nor did they provide information that would give the 
Department an idea of the extent to which covered entities receive such 
payments. Therefore, while we acknowledge the potential for some lost 
revenue to covered entities due to these modifications or some 
additional costs to researchers to obtain authorizations, we do not 
have data that could inform quantifying such costs. At the same time, 
we note that we have made some clarifications in the above preamble 
discussion regarding these provisions that we believe would lessen any 
such impact. Specifically, the preamble explains that we do not 
consider a sale of protected health information to encompass payments a 
covered entity may receive in the form of grants, or contracts or other 
arrangements to perform programs or activities, such as a research 
study, where any provision of protected health information to the payer 
is a byproduct of the service being provided. Thus, the payment by a 
research sponsor to a covered entity to conduct a research study is not 
considered a sale of protected health information even if the study 
involves disclosing research results that include protected health 
information to the sponsor. In contrast, a sale of protected health 
information includes disclosures of protected health information where 
a covered entity is receiving remuneration from or on behalf of the 
recipient of the data for the information itself. Thus, a disclosure of 
protected health information by a covered entity to a third party 
researcher that is conducting the research in exchange for remuneration 
would fall within these provisions, unless the only remuneration 
received is a reasonable, cost-based fee to cover the cost to prepare 
and transmit the data for such purposes.
b. Individual Right To Opt Out of Fundraising Communications
    The current Privacy Rule requires covered entities give individuals 
the opportunity to opt out of receiving future fundraising 
communications from the entity. The HITECH Act and final rule 
strengthens the opt out by requiring that it be clear and conspicuous 
and that an individual's choice to opt out should be treated as a 
revocation of authorization. While the rule specified that a clear and 
conspicuous opt out method must not cause an individual to incur an 
undue burden or more than a nominal cost, proposed rule did not specify 
the method to be employed but rather left it up to the discretion of 
the covered entity. We requested comment on the extent to which the 
requirement that the opportunity to elect not to receive further 
fundraising communications be clear and conspicuous would have an 
impact on covered entities and their current fundraising materials.
    Overall, commenters did not indicate that requiring the opt out for 
further fundraising to be clear and conspicuous would greatly impact 
covered entities and their current fundraising efforts or provide 
specific anticipated costs in this regard. Rather, some commenters 
indicated that they already provide pre-paid, pre-printed postcards for 
this purpose with fundraising mailings and doing so is neither costly 
nor imposes a significant burden on the individual who wishes to opt 
out of further communications. Based on this feedback and the continued 
flexibility in the final rule to choose the opt out method (e.g., toll-
free number, post-card), we do not believe that the requirement that 
fundraising opt-outs be clear and conspicuous will result in 
significant new costs to covered entities.
    Further, while some commenters did indicate that a pre-solicitation 
opt out would be costly for covered entities in

[[Page 5681]]

response to our request for comment on this issue, as a result of this 
general opposition, the final rule does not change the current 
requirement that covered entities only need to include an opt-out with 
any solicitation sent to an individual rather than to the first 
fundraising communication.
c. Individuals' Access to Protected Health Information
    In this final rule, we strengthen an individual's right to receive 
an electronic copy of his or her protected health information. 
Specifically, as was proposed, the final rule requires that if an 
individual requests an electronic copy of protected health information 
that is maintained electronically in one or more designated record 
sets, the covered entity must provide the individual with access to the 
electronic information in the electronic form and format requested by 
the individual, if it is readily producible, or, if not, in a readable 
electronic form and format as agreed to by the covered entity and the 
individual. Also, as in the proposed rule, the final rule provides that 
a covered entity may charge a fee for costs associated with labor and 
supplies for creating an electronic copy, including electronic portable 
media if agreed to by the individual, and clarifies that a covered 
entity may charge for postage if an individual requests that the 
covered entity transmit portable media containing an electronic copy 
through mail or courier. However, covered entities may not include fees 
associated with maintaining systems, retrieval costs, or infrastructure 
costs in the fee they charge to provide an electronic copy.
    We continue to believe that this requirement will not result in 
significant new burdens on covered entities. Individuals already had a 
right to access protected health information maintained in electronic 
designated record sets under the prior Rule, and already had a right to 
receive an electronic copy of such information to the extent the 
electronic copy was readily producible by the covered entity. The Rule 
provides significant flexibility to covered entities in honoring 
individuals' request for electronic access. While a covered entity must 
provide some type of electronic copy to an individual who requests one, 
a covered entity is not required to provide the exact form of the copy 
or access requested by the individual if it is not readily producible 
in such form. Thus, covered entities may provide readily producible 
electronic copies of protected health information that are currently 
available on their various systems. A covered entity is not required to 
purchase new software or systems in order to accommodate an electronic 
copy request for a specific form that is not readily producible by the 
covered entity at the time of the request, provided that the covered 
entity is able to provide some form of electronic copy. Further, in 
cases where an individual chooses not to accept the electronic copy 
that is readily producible by the covered entity, a hard copy may be 
offered.
    We did hear from several commenters that some legacy or other 
systems, while capable of producing a hard copy as previously required 
under the existing access requirement, may not be capable of producing 
any electronic copy at present. In these cases, covered entities may 
incur some cost burden in order to purchase software or hardware to 
produce some kind of electronic copy for electronic information held in 
designated record sets on such legacy systems. However, covered 
entities are not required to purchase additional software or hardware 
to meet individuals' specific requests, as long as at least one type of 
electronic copy is available. We anticipate some cost will be incurred 
by covered entities with such systems; however we did not receive 
comments on the extent of these costs, or the number of covered 
entities with legacy systems that will need to incur such costs.
d. Right To Restrict Certain Disclosures to a Health Plan
    The final rule requires that a covered health care provider agree 
in most cases to an individual's request to restrict disclosure to a 
health plan of the individual's protected health information that 
pertains to a health care service for which the individual has paid the 
health care provider in full out of pocket. This is a change from the 
prior rule, which provided individuals with the right to request a 
restriction on certain disclosures; however, a covered entity was not 
required to agree to the restriction, whatever the circumstances. We do 
not believe that covered health care providers will incur substantial 
costs to implement this expanded right for a number of reasons. First, 
in order to comply with the rule prior to this change, a covered entity 
is already required to have processes and procedures in place for 
accepting and considering individuals' requests for restrictions, even 
if, as a general matter, the covered entity declines to agree to such 
requests. This final rule does not require new or different processes 
for receiving and reviewing requests for restrictions, just that the 
covered entity honor, in most cases, a self-pay patient's request for a 
restriction to a health plan. Second, for those covered health care 
providers that do not currently, but will now be required to, 
accommodate requests by self-pay patients to restrict disclosures to a 
health plan, the final rule provides significant flexibility in how 
providers are to honor an individual's request and the preamble makes 
various clarifications in response to comments as to how to 
operationalize this new requirement. For example, the final rule makes 
clear that a health care provider is not required to separate or 
segregate records in order to ensure an individual's restriction 
request is honored. Rather, the final rule leaves it to the discretion 
of the provider as to how to flag information that is the subject of a 
restriction. Further, the final rule provides flexibility as to how 
restriction requests for certain services, such as bundled services, 
are to be handled, as well as what reasonable efforts should be made to 
obtain payment from an individual whose original form of payment has 
been dishonored, prior to resorting to billing the health plan for the 
service. Finally, in response to comments regarding the potential 
burden and cost of doing so, the final rule does not require health 
care providers to inform downstream providers who may receive the 
individual's protected health information, such as a pharmacy or 
specialist, of a restriction, given the lack of automated technologies 
to support such a requirement.
    Notwithstanding the above, we acknowledge that there will be some 
additional burden on certain health care providers to ensure an 
individual's request to restrict a disclosure to a health plan is 
honored where such a request would not have been honored in the past. 
However, we do not have data to inform quantifying an estimated cost in 
this area. For example, we do not have data on the number of providers 
that currently accommodate requests from self-pay patients to restrict 
disclosures versus those that do not, the number of requests that 
covered health care providers receive today that would now require a 
restriction, nor even the number of requests for restrictions generally 
that covered health care providers currently receive.
e. Impact of the Genetic Information Underwriting Prohibition on Health 
Plans
    The final rule prohibits health plans that are HIPAA covered 
entities, except issuers of long term care policies, from using or 
disclosing an individual's protected health information that is

[[Page 5682]]

genetic information for underwriting purposes. As we explained in the 
proposed rule, the rule does not affect health plans that do not 
currently use or disclose protected health information for underwriting 
purposes. Further, even with respect to health plans that perform 
underwriting, plans and issuers in the group market previously 
commented to the Department that they do not, even prior to the passage 
of GINA, use genetic information for underwriting purposes because pre-
GINA laws and regulations prohibit them from discriminating against 
individuals based on any health status related factors, including 
genetic information. With respect to issuers in the individual health 
insurance market, the Department acknowledged in the proposed rule that 
there may be more significant policy changes associated with the 
prohibition on using or disclosing protected health information that is 
genetic information for underwriting purposes. However, the Department 
explained in the proposed rule that it did not have sufficient 
information to determine the extent of such changes, that is, to what 
extent issuers in the individual health insurance market use genetic 
information for underwriting purposes. Regardless, as we explained in 
the proposed rule, in the case of either the individual or group 
market, the Department assumed, because a prohibited use or disclosure 
of genetic information for underwriting purposes would also be a 
discriminatory use of such information under the nondiscrimination 
provisions of GINA Title I and its implementing regulations, that there 
would be no costs associated with conforming a plan's practices to 
comply with the underwriting prohibition that are above and beyond the 
costs associated with complying with the regulations implementing 
sections 101-103 of GINA. With respect to the health plans not covered 
by GINA but subject to the proposed prohibition in the Privacy Rule, 
the Department also assumed that the costs to comply would be minimal 
because such plans either: (1) do not perform underwriting, as is the 
case generally with public benefit plans; or (2) perform underwriting 
but do not in most cases use genetic information (including family 
medical history) for such purposes.
    In general, most comments in response to the proposed rule did not 
provide information that contradicted the above assumptions. However, 
concern was expressed regarding the adverse impact of such an 
underwriting prohibition on the long-term care market. Given the 
concern regarding the impact of the underwriting prohibition on the 
long-term care market, the final rule exempts such plans from the 
prohibition. Thus, there are no costs to be attributed to long term 
care plans with this rule. Further, given we did not receive other 
comments that would lead us to question the underlying assumptions in 
the proposed rule, we do not expect this provision of the final rule to 
result in substantial new costs on health plans, particularly those 
that have been required to comply with the regulations implementing 
GINA's nondiscrimination provisions for several years now.
f. Enforcement Provisions
    The amendments contained within this final rule to the HIPAA 
Enforcement Rule conform the regulatory language of the Rule to the 
enhanced enforcement provisions of the HITECH Act. Consistent with its 
reasoning in prior HIPAA Enforcement rulemakings,\41\ the Department 
expects the costs covered entities, and now business associates, may 
incur with respect to their compliance with the Enforcement Rule, 
itself, should be low in most cases. That is, covered entities and 
business associates that comply with the HIPAA rules voluntarily, as is 
expected, should not incur any additional, significant costs as a 
result of the Enforcement Rule. Further, we believe the increased 
penalties and other enhancements provided by the HITECH Act and which 
are reflected in this final rule provide even more incentive to covered 
entities and business associates to take steps necessary to comply and 
thus not be liable for violations.
---------------------------------------------------------------------------

    \41\ See the preambles to the proposed and final Enforcement 
Rules at 70 FR 20224, 20248-49 (April 18, 2005) and 71 FR 8390, 8424 
(February 16, 2006).
---------------------------------------------------------------------------

D. Qualitative Analysis of Unquantified Benefits

    While we are certain that the regulatory changes in this final rule 
represent significant benefits, we cannot monetize their value. Many 
commenters agreed with our assumptions regarding the benefits to 
individuals, but we did not receive any comments that included specific 
information about quantifying those benefits. The following sections 
describe in greater detail the qualitative benefits of the final rule. 
In addition to greater privacy protections for individuals, these 
benefits include the results of our efforts to reduce burdens. 
Consistent with E.O. 13563, we conducted a retrospective review of our 
regulations and identified areas, such as certain research 
authorization requirements and disclosures to schools regarding 
childhood immunizations, in which we could decrease costs and increase 
flexibilities under the HIPAA Rules. The resulting changes are 
discussed below.
1. Greater Privacy Protections for Individuals
    The benefits for individuals include added information on their 
rights through an expanded NPP, and greater rights with regard to the 
uses and disclosures of their personal health information through 
expanded requirements to: (1) Obtain authorization before a covered 
entity or business associate may disclose their protected health 
information in exchange for remuneration, (2) restrict certain 
disclosures to a health plan at the request of the individual, (3) 
strengthen the ability of individuals to opt out of further fundraising 
communications, and (4) limit uses and disclosures of protected health 
information for marketing. Individuals also will benefit from increased 
protection against discrimination based on their genetic information, 
achieved through the prohibition against health plans using or 
disclosing protected health information that is genetic information for 
underwriting purposes. Individuals also will have increased access to 
their protected health information in an electronic format.
    Finally, under the rule, individuals' health information will be 
afforded greater protection by business associates of covered entities 
who share liability and responsibility with the covered entity for 
safeguarding against impermissible uses and disclosures of protected 
health information.
2. Breach Notification
    The analysis of benefits of the breach notification regulation is 
as stated in the interim final rule. In summary, we stated that 
notifying individuals affected by a breach would alert them to and 
enable them to mitigate potential harms, such as identity theft 
resulting from the exposure of certain identifiers, and reputational 
harm that may result from the exposure of sensitive medical 
information. Further, the breach notification requirements provide 
incentive to covered entities and business associates to better 
safeguard protected health information, such as by encrypting the 
information, where possible.
    We also believe that the modifications to the definition of breach 
to remove the harm standard and revise the risk assessment will ensure 
that covered

[[Page 5683]]

entities and business associates apply the rule in a more objective and 
uniform manner. We believe that these modifications will make the rule 
easier for covered entities and business associates to implement and 
will result in consistency of notification across entities which will 
benefit consumers.
3. Compound Authorizations for Research Uses and Disclosures
    We proposed to permit compound authorizations for the use or 
disclosure of protected health information for conditioned and 
unconditioned research activities provided that the authorization 
clearly differentiates between the conditioned and unconditioned 
research components and clearly allows the individual the option to opt 
in to the unconditioned research activities. We believed that the 
proposed provision would reduce burden and costs on the research 
community by eliminating the need for multiple forms for research 
studies involving both a clinical trial and a related biospecimen 
banking activity or study and by harmonizing the Privacy Rule's 
authorization requirements with the informed consent requirements under 
the Common Rule. This change to the Rule had long been sought by the 
research community. While we expected burden reduction and cost savings 
due to these modifications, we had no data which to quantify an 
estimate of such savings. We requested comment on the anticipated 
savings that this change would bring to the research community.
    As explained above, the final rule adopts the proposal to permit 
compound research authorizations. While almost all commenters on this 
topic were supportive and agreed that the change would result in 
reduced burdens and costs due to a reduction in forms and harmonization 
with the Common Rule, we did not receive significant comment that could 
inform our quantifying the anticipated cost-savings associated with 
this modification.
4. Authorizations for Future Research Uses or Disclosures
    We requested comment on the Department's previous interpretation 
that an authorization for research uses and disclosures must include a 
description of each purpose of the requested use or disclosure that is 
study specific, and the possibility of modifying this interpretation to 
allow for the authorization of future research uses and disclosures. We 
believed that this change in interpretation would reduce burden on 
covered entities and researchers by reducing the need for researchers 
to obtain multiple authorizations from the same individual for research 
and further harmonizing the Privacy Rule authorization requirements 
with the informed consent requirements under the Common Rule.
    The final rule adopts the new interpretation to allow covered 
entities to obtain authorizations for future research uses and 
disclosures to the extent such purposes are adequately described in the 
authorization such that it would be reasonable for the individual to 
expect that his or her protected health information could be used or 
disclosed for such future research. While we did receive comments 
supporting our assertions that permitting authorizations for future 
research uses and disclosures would reduce burden to covered entities 
and researchers by obviating the need for researchers to seek out past 
research participants to obtain authorization for future studies which 
they may be able to authorize at the initial time of enrollment into a 
study, and additionally by reducing the waivers of authorization that 
researchers would need to obtain from Institutional Review Boards, we 
did not receive specific comment on cost savings that could inform our 
quantifying the savings in this final rule.
5. Period of Protection for Decedent Information
    We proposed to modify the current rule to limit the period for 
which a covered entity must protect an individual's health information 
to 50 years after the individual's death. We believed this would reduce 
the burden on both covered entities and those seeking the protected 
health information of persons who have been deceased for many years by 
eliminating the need to search for and find a personal representative 
of the decedent, who in many cases may not be known or even exist after 
so many years, to authorize the disclosure. We believed this change 
would also benefit family members and historians who may seek access to 
the medical information of these decedents for personal and public 
interest reasons. However, we lacked any data to be able to estimate 
the benefits (or any unanticipated costs) of this provision and 
requested comment on these assertions.
    The final rule adopts the modification to limit the period of 
protection for decedent health information to 50 years after the date 
of death. While most comments responding to this proposal were very 
supportive of the change, agreeing with the anticipated benefits the 
Department had articulated (i.e., easier access to old or ancient 
patient health information by family, historians, archivists), the 
comments did not provide specific information that could inform our 
quantifying a cost-savings or reduction in burden associated with this 
change in policy.
    The Department did receive one comment asserting that covered 
entities may keep decedent information, particularly the information of 
famous individuals, for longer than 50 years past the date of death in 
order to monetize those records. The commenter cited an example of an 
x-ray of a deceased celebrity being sold at an auction for $45,000. 
However, we do not anticipate that this is or will be a typical 
scenario.
6. Disclosures About a Decedent
    We proposed to permit covered entities to disclose a decedent's 
protected health information to family members and others who were 
involved in the care or payment for care prior to the decedent's death, 
unless doing so is inconsistent with any prior expressed preference of 
the individual that is known to the covered entity. In the preamble to 
the proposed rule, we stated our belief that the proposed change would 
reduce burden by permitting covered entities to disclose protected 
health information about a decedent to family members and other persons 
who were involved in an individual's care while the individual was 
alive, without having to obtain written permission in the form of an 
authorization from the decedent's personal representative, who may not 
be known or even exist, and may be more difficult to locate as time 
passes. However, we had no data to permit us to estimate the reduction 
in burden and requested public comment on this issue.
    The final rule adopts the modification as proposed. However, as 
with the proposed rule, we are unable to quantify any cost-savings with 
respect this change. While commenters confirmed that permitting such 
disclosures would help facilitate communications with family members 
and other persons who were involved in an individual's care or payment 
for care prior to death, we did not receive any information that could 
inform estimating a savings.
7. Public Health Disclosures
    We proposed to create a new public health provision to permit 
disclosure of proof of a child's immunization by a covered entity to a 
school in States that have school entry or similar laws. This proposed 
change would have allowed a covered health care provider to release

[[Page 5684]]

proof of immunization to a school without having to obtain a written 
authorization, provided the provider obtained the agreement, which may 
be oral, to the disclosure from a parent, guardian or other person 
acting in loco parentis for the individual, or from the individual, if 
the individual was an adult or emancipated minor. We anticipated that 
the proposed change to the regulations would reduce the burden on 
parents, schools, and covered entities in obtaining and providing 
written authorizations, and would minimize the amount of school missed 
by students. However, because we lacked data on the burden reduction, 
we were unable to provide an estimate of the possible savings and 
requested comment on this point.
    The final rule adopts the proposal to permit covered entities to 
disclose, with the oral or written agreement of a parent or guardian, a 
child's proof of immunization to schools in States that have school 
entry or similar laws. This obviates the need for a covered entity to 
receive formal, executed HIPAA authorizations for such disclosures. 
While the final rule requires that covered entities document the 
agreement, the final rule is flexible and does not prescribe the nature 
of the documentation and does not require signature by the parent, 
allowing covered entities the flexibility to determine what is 
appropriate for their purposes. For example, as the preamble indicates 
above, if a parent or guardian submits a written or email request to a 
covered entity to disclose their child's immunization records to the 
child's school, a copy of the request would suffice as documentation of 
the agreement. Likewise, if a parent or guardian calls the covered 
entity and requests over the phone that their child's immunization 
records be disclosed to the child's school, a notation in the child's 
medical record or elsewhere of the phone call would suffice as 
documentation of the agreement.
    Given that the rule no longer requires a formal, executed HIPAA 
authorization for such disclosures and provides significant flexibility 
in the form of the documentation required of a parent's or guardian's 
agreement to the disclosure, this modification is expected to result in 
reduced burden and cost to covered health care providers in making 
these disclosures, as well as to the parents and schools involved in 
the process. We acknowledge that covered health care providers who wish 
to use these less formal processes in lieu of the authorization will 
need to explain their new procedure to office staff. However, given the 
provision's flexibility and narrow scope, we do not expect that the 
providers will need to do more than ensure office staff have a copy of 
the new procedure. Further, any one-time costs to develop and deploy 
the new procedure will be offset by the savings that are expected to 
accrue from the change over time as the disclosures are carried out. 
While we acknowledge the overall savings associated with this change, 
as with other provisions in this rule providing increased flexibility 
for compliance, we are unable to quantify them. For example, we do not 
have data on how many family doctors and other providers generally make 
these types of disclosures and how many requests such providers 
generally receive for proof of immunization, and we did not receive 
data from commenters that could inform our estimating savings in this 
area.

E. Additional Regulatory Analyses

1. Regulatory Flexibility Act
    The Regulatory Flexibility Act requires agencies to analyze and 
consider options for reducing regulatory burden if the regulation will 
impose a significant burden on a substantial number of small entities. 
The Act requires the head of the agency to either certify that the rule 
would not impose such a burden or perform a regulatory flexibility 
analysis and consider alternatives to lessen the burden.
    For the reasons stated below, it is not expected that the cost of 
compliance will be significant for small entities. Nor is it expected 
that the cost of compliance will fall disproportionately on small 
entities. Although many of the covered entities and business associates 
affected by the rule are small entities, they do not bear a 
disproportionate cost burden compared to the other entities subject to 
the rule. Further, with respect to small business associates, only the 
fraction of these entities that has not made a good faith effort to 
comply with existing requirements will experience additional costs 
under the rule. The Department did not receive any comments on its 
certification in the proposed rules. Therefore, the Secretary certifies 
that this rule will not have a significant economic impact on a 
substantial number of small entities.
    The RFA generally defines a ``small entity'' as (1) a proprietary 
firm meeting the size standards of the Small Business Administration 
(SBA), (2) a nonprofit organization that is not dominant in its field, 
or (3) a small government jurisdiction with a population of less than 
50,000. The SBA size standard for health care providers ranges between 
$7.0 million and $34.5 million in annual receipts. Because 90 percent 
or more of all health care providers meet the SBA size standard for a 
small business or are nonprofit organizations, we generally treat all 
health care providers as small entities for purposes of performing a 
regulatory flexibility analysis.
    With respect to health insurers and third party administrators, the 
SBA size standard is $7.0 million in annual receipts. While some 
insurers are classified as nonprofit, it is possible they are dominant 
in their market. For example, a number of Blue Cross/Blue Shield 
insurers are organized as nonprofit entities; yet they dominate the 
health insurance market in the States where they are licensed and 
therefore would not be considered small businesses. Using the SBA's 
definition of a small insurer as a business with less than $7 million 
in revenues, premiums earned as a measure of revenue,\42\ and data 
obtained from the National Association of Insurance Commissioners,\43\ 
the Department estimates that approximately 276 out of 730 insurers had 
revenues of less than $7 million.\44\
---------------------------------------------------------------------------

    \42\ U.S. Small Business Administration, ``Table of Small 
Business Standards Matched to North American Industry Classification 
System Codes,'' available at https://www.sba.gov/content/small-business-size-standards.
    \43\ HHS ASPE analysis of 2010 NAIC Supplemental Health Care 
Exhibit Data.
    \44\ These counts could be an overestimate. Only health 
insurance premiums from both the group and individual market were 
counted. If insurers also offered other types of insurance, their 
revenues could be higher.
---------------------------------------------------------------------------

    From the approximately $225.4 million (upper estimate) in costs we 
are able to identify, the cost per covered entity may be as low as $80 
(for the vast majority of covered entities) and as high as $843 (for 
those entities that experience a breach), and we estimate that the cost 
per affected business associate will be between $84.32 and $282. These 
costs are discussed in detail in the regulatory impact analysis and 
below. We do not view this as a significant burden because, for 
example, even the highest average compliance cost per covered entity we 
have identified ($843) represents just 0.0001% of annual revenues for a 
small entity with only $7 million in receipts (see the low end of SBA's 
size standard for health care providers). We include 750 third party 
administrators in the calculation of covered entities, to represent 
approximately 2.5 million ERISA plans,\45\ most of which are small 
entities, on whose behalf they carry our

[[Page 5685]]

compliance activities. We have no information on how many of these 
plans self-administer, and we did not receive any information from 
commenters in this area and so do not include a separate estimate for 
plans that self-administer.
---------------------------------------------------------------------------

    \45\ Source: 2010 Medical Expenditure Survey--Insurance 
Component.
---------------------------------------------------------------------------

    We estimate that the breach notification requirements will result 
in $14.5 million in annual costs to covered entities. Dividing that 
amount by the approximately 19,000 entities that will actually 
experience a breach of protected health information each year, we 
estimate that the costs of complying with the breach notification 
requirements will amount to, on average, $763 per covered entity that 
must respond to a breach. Smaller covered entities likely will face 
much lower costs, as these entities generally have protected health 
information for far fewer individuals than do larger covered entities 
and breach notification costs are closely linked to the number of 
individuals affected by a given breach incident.
    The other source of costs for covered entities arises from the 
requirement to provide revised NPPs to the individuals they serve. We 
estimate that the approximately 700,000 covered entities will 
experience total costs of approximately $55.9 million for compliance 
with the NPP requirements, or about $80 per covered entity.
    We estimate the costs for 200,000-400,000 business associates to 
come into full compliance with the Security Rule to be approximately 
$22.6-$113 million. The average cost per affected business associate 
would be approximately $198.
    Finally, we estimate that 250,000 to 500,000 business associates 
will incur costs totaling between $21 million and $42 million, 
respectively, to establish or significantly modify contracts with 
subcontractors to be in compliance with the rule's requirements for 
business associate agreements. The average cost per business associate 
would be approximately $84.
    Based on the relatively small cost per covered entity and per 
business associate, the Secretary certifies that the Rule will not have 
a significant impact on a substantial number of small entities. Still, 
we considered and adopted several solutions for reducing the burden on 
small entities.
    First, we combined several required rules into one rulemaking, 
which will allow affected entities to revise and distribute their 
notices of privacy practices at one time rather than multiple times, as 
each separate rule was published. Second, in the final rule we increase 
flexibility for health plans by allowing them to send the revised 
notices with their annual mailings rather than requiring plans to send 
them to individuals in a separate mailing.
    Third, we allow covered entities and business associates with 
existing HIPAA compliant contracts twelve months from the date of the 
rule to renegotiate their contracts unless the contract is otherwise 
renewed or modified before such date. This amount of time plus the 
eight months from the publication date of the rule to the compliance 
date generally gives the parties 20 months to renegotiate their 
agreements. We believe that the added time will reduce the cost to 
revise agreements because the changes the rule requires will be 
incorporated into the routine updating of covered entities' and 
business associates' contracts.
    Finally, the Department has also published on its web site sample 
language for revising the contracts between covered entities and 
business associates. While the language is generic and may not suit all 
entities and agreements, particularly larger entities and those with 
more complex business relationships, we believe that it will 
particularly help small entities with their contract revisions and save 
them time and money in redrafting their contracts to conform to the 
rule.
2. Unfunded Mandates Reform Act
    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates would require spending in any one year 
$100 million in 1995 dollars, updated annually for inflation. In 2011, 
that threshold is approximately $136 million. UMRA does not address the 
total cost of a rule. Rather, it focuses on certain categories of cost, 
mainly those ``Federal mandate'' costs resulting from: (1) Imposing 
enforceable duties on State, local, or Tribal governments, or on the 
private sector; or (2) increasing the stringency of conditions in, or 
decreasing the funding of, State, local, or Tribal governments under 
entitlement programs.
    We are able to identify between $114 and $225.4 million in costs on 
both the private sector and State and Federal entities for compliance 
with the final modifications to the HIPAA Privacy and Security Rules, 
and for compliance with the final Breach Notification Rule. As stated 
above, there may be other costs we are not able to monetize because we 
lack data, and the rule may produce savings that may offset some or all 
of the added costs. We must also separately identify costs to be 
incurred by the private sector and those incurred by State and Federal 
entities.
    Some of the costs of the regulation will fall on covered entities, 
which are primarily health care providers and health plans.\46\ For the 
purpose of these calculations, we included all provider costs as 
private sector costs. While we recognize that some providers are State 
or Federal entities, we do not have adequate information to estimate 
the number of public providers, but we believe the number to be 
significantly less than 10 percent of all providers shown in Table 1. 
Therefore, as we did for the RFA analysis and for ease of calculation, 
we assumed that all provider costs are private sector costs. We did not 
receive any comments on this assumption.
---------------------------------------------------------------------------

    \46\ Another type of covered entity, health care clearinghouses, 
generally will not bear these costs, as clearinghouses are not 
required to provide a notice of private practices to individuals and 
are involved in a miniscule fraction of breach incidents, if any.
---------------------------------------------------------------------------

    With respect to health plans, based on the data discussed in 
section C, we estimate that 60 percent of policy holders are served by 
private sector health plans and 40 percent of policy holders are served 
by public sector plans. Therefore, we attribute 60 percent of health 
plan costs to the private sector and 40 percent of plan costs to the 
public sector.
    The remaining costs of complying with the regulation will be borne 
by business associates of covered entities. We do not have data with 
which to estimate the numbers of private versus public entity business 
associates. However, we believe that the vast majority of, if not all, 
business associates, are private entities. Therefore, we assumed all 
business associate costs are private sector costs.
    Of the specific costs we can identify, we estimate that 
approximately 91 percent of all costs, or between $103.7 and $205 
million, will fall on private sector health care providers, health 
plans, and business associates. The remaining costs, approximately 
$10.3-20.4 million, will fall on public sector health plans. The 
following paragraphs outline the distribution of costs arising from the 
four cost-bearing elements of the final rule: (1) Covered entities must 
revise and distribute notices of privacy practices, (2) Covered 
entities that experience a breach of protected health information must 
comply with the breach notification requirements, (3) certain business 
associates must revise contracts with subcontractors to meet business 
associate agreement requirements, and (4) Certain business associates 
must make efforts to achieve full compliance with the administrative 
requirements of the Security Rule.

[[Page 5686]]

    We estimate the costs for to comply with the NPP provisions will 
reach about $55.9 million, which will be shared by providers and health 
plans. Providers will bear approximately $40.4 million of these costs, 
all of which we attribute to the private sector. Health plans will bear 
approximately $15.5 million and, as explained above, we have allocated 
60 percent of health plan costs for NPPs, or $9.3 million, as private 
sector costs. Public plans will bear the remaining $6.2 million.
    We estimate that private entities will bear 93 percent of the costs 
of compliance with the breach notification requirements, or about $13.5 
million. This is because the majority of breach reports are filed by 
health care providers, all of whose costs we attribute to the private 
sector. Consistent with our estimate that 60 percent of health plan 
members are enrolled in private sector plans, we also include as 
private costs 60 percent of the breach notification costs borne by 
health plans (based on the number of health plans that have filed 
breach reports).
    Finally, we estimate that all of the costs for business associates 
to create or revise business associate agreements with subcontractors 
($42 million outer estimate), and to come into full compliance with the 
Security Rule ($113 million outer estimate), will be private sector 
costs.
    As the estimated costs to private entities alone may exceed the 
$136 million threshold, UMRA requires us to prepare an analysis of the 
costs and benefits of the rule. We have already done so, in accordance 
with Executive Orders 12866 and 13563, and present this analysis in 
sections C and D.
3. Federalism
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct requirement costs on State and local governments, preempts State 
law, or otherwise has Federalism implications.
    The Federalism implications of the Privacy and Security Rules were 
assessed as required by Executive Order 13132 and published as part of 
the preambles to the final rules on December 28, 2000 (65 FR 82462, 
82797) and February 20, 2003 (68 FR 8334, 8373), respectively. 
Regarding preemption, the preamble to the final Privacy Rule explains 
that the HIPAA statute dictates the relationship between State law and 
Privacy Rule requirements. Therefore, the Privacy Rule's preemption 
provisions do not raise Federalism issues. The HITECH Act, at section 
13421(a), provides that the HIPAA preemption provisions shall apply to 
the HITECH provisions and requirements. While we have made minor 
technical changes to the preemption provisions in Subpart B of Part 160 
to conform to and incorporate the HITECH Act preemption provisions, 
these changes do not raise new Federalism issues. The changes include: 
(1) Amending the definitions of ``contrary'' and ``more stringent'' to 
reference business associates; and (2) further amending the definition 
of contrary to provide that State law would be contrary to the HIPAA 
Administrative Simplification provisions if it stands as an obstacle to 
the accomplishment and execution of the full purposes and objectives of 
not only HIPAA, but also the HITECH Act.
    We do not believe that the rule will impose substantial direct 
compliance costs on State and local governments that are not required 
by statute. It is our understanding that State and local government 
covered entities do not engage in marketing, the sale of protected 
health information, or fundraising. Therefore, the modifications in 
these areas would not cause additional costs to State and local 
governments. We anticipate that the most significant direct costs on 
State and local governments will be the cost for State and local 
government-owned covered entities of drafting, printing, and 
distributing revised notices of privacy practices, which would include 
the cost of mailing these notices for State health plans, such as 
Medicaid. However, the costs involved can be attributed to the 
statutory requirements, which provide individuals with strengthened 
rights about which they need to be notified.
    In considering the principles in and requirements of Executive 
Order 13132, the Department has determined that these modifications to 
the Privacy and Security Rules will not significantly affect the 
rights, roles, and responsibilities of the States.

F. Accounting Statement

    Whenever a rule is considered a significant rule under Executive 
Order 12866, we are required to develop an accounting statement 
indicating the costs associated with promulgating the rule. Below, we 
present overall monetary annualized costs discounted at 3 percent and 7 
percent as described in the Regulatory Impact Analysis.

                                        Estimated Costs of the Final Rule
                                               [In 2011 millions]
----------------------------------------------------------------------------------------------------------------
                                                            Primary estimate  Minimum estimate  Maximum estimate
                    Costs (annualized)                            ($M)              ($M)              ($M)
----------------------------------------------------------------------------------------------------------------
Discounted @7%............................................              42.8              34.8              50.6
@3%.......................................................              35.2              28.7              41.7
----------------------------------------------------------------------------------------------------------------

    In the RIA, we acknowledged several potential sources of costs that 
we were unable to quantify. Because we have no way to determine the 
extent to which entities currently engage in certain activities for 
which they now need authorization, or who will need to take on a new 
burden because of the rule, we cannot predict the magnitude of these 
costs with any certainty. These potential sources of cost include:
    1. Potential lost revenue to covered entities who forgo making 
certain subsidized health-related communications to individuals rather 
than obtain those individuals' authorization for such communications;
    2. Costs to researchers to obtain authorization to make incentive 
payments (above the costs to prepare the data) to covered entities to 
produce data or, alternatively, a loss in revenue for covered entities 
who agree to accept only the costs to prepare and transmit the data;
    3. Potential costs to certain covered entities who purchase 
software or hardware to allow them to produce an electronic copy of 
individuals' protected health information; and
    4. The burden to some health care providers of ensuring that an 
individual's request to restrict a disclosure to a health plan is 
honored where it might not have been before the final rule.
    While we are certain the changes in this final rule also represent 
distinct

[[Page 5687]]

benefits to individuals with regard to the privacy and security of 
their health information, and with regard to their rights to that 
information, we are unable to quantify the benefits. Other expected 
qualitative benefits, which are described in detail above, include 
savings due to provisions simplifying and streamlining requirements and 
increasing flexibility. Such savings arise from:
    1. Eliminating the need for multiple forms for certain research 
studies by permitting compound authorizations;
    2. Obviating the need to find past research participants and obtain 
new authorizations for new research by allowing individuals to 
authorize future research uses and disclosures at the time of initial 
enrollment;
    3. Limiting the period of protection for decedent information to 
permit family members and historians to obtain information about a 
decedent without needing to find a personal representative of the 
deceased individual to authorize the disclosure;
    4. Permitting disclosures to a decedent's family members or others 
involved in the care or payment for care prior to the decedent's death; 
and
    5. Permitting covered entities to document a parent's informal 
agreement to disclose immunization information to a child's school 
rather than requiring a signed authorization form.

VIII. Collection of Information Requirements

    This final rule contains the following information collections 
(i.e., reporting, recordkeeping, and third-party disclosures) under the 
Paperwork Reduction Act. Some of those provisions involve changes from 
the information collections set out in the proposed and interim final 
rules. These changes are noted below.

A. Reporting

     Notification to the Secretary of breaches of unsecured 
protected health information (Sec.  164.408). In the final rule, we 
revise our estimated number of respondents and responses to reflect our 
experience administering the interim final rule.

B. Recordkeeping

     Documentation of safeguards and policies and procedures 
under the Security Rule (Sec.  164.316). In the proposed rule, we 
assumed that all business associates were in compliance with the 
Security Rule's documentation standard because of their contractual 
obligations to covered entities under the HIPAA Rules. In the final 
rule, we recognize that a minority of business associates, who have not 
previously maintained documentation of their policies and procedures 
and administrative safeguards under the Security Rule, may experience a 
burden coming into compliance with the documentation standard for the 
first time because they are now subject to direct liability under the 
Security Rule.
     Business Associate Agreements (Sec.  164.504(e)). We 
assumed in the proposed rule that business associates and their 
subcontractors were complying with their existing contractual 
obligations but acknowledged that some contracts would have to be 
modified to reflect changes in the law. We requested comments on how 
many entities would be unable able to revise contracts, in the normal 
course of business, within the phase-in period. We did not receive 
comments that would allow us to make a specific estimate; nonetheless, 
in the final rule we assume that a significant minority of business 
associates will need to revise their business associate agreements with 
subcontractors (or establish such agreements for the first time if they 
were not previously in compliance).

C. Third-Party Disclosures

     Breach notification to affected individuals and the media 
(Sec. Sec.  164.404 & 164.406). We revise our estimates of the numbers 
of breaches, covered entities, and individuals affected to reflect our 
experience in administering the breach notification requirements under 
the interim final rule.
     Revision and dissemination of notices of privacy practices 
for protected health information (Sec.  164.520). Our burden estimates 
for this provision in the proposed rule were based on the requirement 
for covered entities to send a separate mailing containing the new 
notice to each policy holder. As part of an effort to reduce overall 
burden, the final rule instead permits health plans to send the revised 
notice of privacy practices in their next annual mailing to policy 
holders, allowing them to avoid additional distribution burdens. We 
also revise the estimated number of affected covered entities based on 
updated information from the Department of Labor and the Small Business 
Administration.
    In addition to the changes summarized above, the information 
collections described in this final rule have been submitted to the 
Office of Management and Budget for review and approval.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health records, Hospitals, Investigations, Medicaid, Medical research, 
Medicare, Penalties, Privacy, Reporting and record keeping 
requirements, Security.

45 CFR Part 164

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health records, Hospitals, Medicaid, Medical research, Medicare, 
Privacy, Reporting and record keeping requirements, Security.

    For the reasons set forth in the preamble, the Department amends 45 
CFR Subtitle A, Subchapter C, parts 160 and 164, as set forth below:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 is revised to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 
U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279; and 
sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.


0
2. Revise Sec.  160.101 to read as follows:


Sec.  160.101  Statutory basis and purpose.

    The requirements of this subchapter implement sections 1171-1180 of 
the Social Security Act (the Act), sections 262 and 264 of Public Law 
104-191, section 105 of Public Law 110-233, sections 13400-13424 of 
Public Law 111-5, and section 1104 of Public Law 111-148.

0
3. Amend Sec.  160.102 as follows:
0
a. Redesignate paragraph (b) as paragraph (c); and
0
b. Add new paragraph (b) to read as follows:


Sec.  160.102  Applicability.

* * * * *
    (b) Where provided, the standards, requirements, and implementation 
specifications adopted under this subchapter apply to a business 
associate.
* * * * *

0
4. Amend Sec.  160.103 as follows:
0
a. Revise the definitions of ``Business associate'', ``Compliance 
date'',

[[Page 5688]]

``Disclosure'', ``Electronic media'', the introductory text of the 
definition of ``Health information'', paragraphs (1)(vi) through (xi), 
and (xv) of the definition of ``Health plan'', paragraph (2) of the 
definition of ``Protected health information,'' and the definitions of 
``Standard'', ``State'', and ``Workforce''; and
0
b. Add, in alphabetical order, new definitions of ``Administrative 
simplification provision'', ``ALJ'', ``Civil money penalty or 
penalty'', ``Family member'', ``Genetic information'', ``Genetic 
services'', ``Genetic test'', ``Manifestation or manifested'', 
``Respondent'', ``Subcontractor'', and ``Violation or violate''.
    The revisions and additions read as follows:


Sec.  160.103  Definitions.

* * * * *
    Administrative simplification provision means any requirement or 
prohibition established by:
    (1) 42 U.S.C. 1320d-1320d-4, 1320d-7, 1320d-8, and 1320d-9;
    (2) Section 264 of Pub. L. 104-191;
    (3) Sections 13400-13424 of Public Law 111-5; or
    (4) This subchapter.
    ALJ means Administrative Law Judge.
* * * * *
    Business associate: (1) Except as provided in paragraph (4) of this 
definition, business associate means, with respect to a covered entity, 
a person who:
    (i) On behalf of such covered entity or of an organized health care 
arrangement (as defined in this section) in which the covered entity 
participates, but other than in the capacity of a member of the 
workforce of such covered entity or arrangement, creates, receives, 
maintains, or transmits protected health information for a function or 
activity regulated by this subchapter, including claims processing or 
administration, data analysis, processing or administration, 
utilization review, quality assurance, patient safety activities listed 
at 42 CFR 3.20, billing, benefit management, practice management, and 
repricing; or
    (ii) Provides, other than in the capacity of a member of the 
workforce of such covered entity, legal, actuarial, accounting, 
consulting, data aggregation (as defined in Sec.  164.501 of this 
subchapter), management, administrative, accreditation, or financial 
services to or for such covered entity, or to or for an organized 
health care arrangement in which the covered entity participates, where 
the provision of the service involves the disclosure of protected 
health information from such covered entity or arrangement, or from 
another business associate of such covered entity or arrangement, to 
the person.
    (2) A covered entity may be a business associate of another covered 
entity.
    (3) Business associate includes:
    (i) A Health Information Organization, E-prescribing Gateway, or 
other person that provides data transmission services with respect to 
protected health information to a covered entity and that requires 
access on a routine basis to such protected health information.
    (ii) A person that offers a personal health record to one or more 
individuals on behalf of a covered entity.
    (iii) A subcontractor that creates, receives, maintains, or 
transmits protected health information on behalf of the business 
associate.
    (4) Business associate does not include:
    (i) A health care provider, with respect to disclosures by a 
covered entity to the health care provider concerning the treatment of 
the individual.
    (ii) A plan sponsor, with respect to disclosures by a group health 
plan (or by a health insurance issuer or HMO with respect to a group 
health plan) to the plan sponsor, to the extent that the requirements 
of Sec.  164.504(f) of this subchapter apply and are met.
    (iii) A government agency, with respect to determining eligibility 
for, or enrollment in, a government health plan that provides public 
benefits and is administered by another government agency, or 
collecting protected health information for such purposes, to the 
extent such activities are authorized by law.
    (iv) A covered entity participating in an organized health care 
arrangement that performs a function or activity as described by 
paragraph (1)(i) of this definition for or on behalf of such organized 
health care arrangement, or that provides a service as described in 
paragraph (1)(ii) of this definition to or for such organized health 
care arrangement by virtue of such activities or services.
    Civil money penalty or penalty means the amount determined under 
Sec.  160.404 of this part and includes the plural of these terms.
* * * * *
    Compliance date means the date by which a covered entity or 
business associate must comply with a standard, implementation 
specification, requirement, or modification adopted under this 
subchapter.
* * * * *
    Disclosure means the release, transfer, provision of access to, or 
divulging in any manner of information outside the entity holding the 
information.
* * * * *
    Electronic media means:
    (1) Electronic storage material on which data is or may be recorded 
electronically, including, for example, devices in computers (hard 
drives) and any removable/transportable digital memory medium, such as 
magnetic tape or disk, optical disk, or digital memory card;
    (2) Transmission media used to exchange information already in 
electronic storage media. Transmission media include, for example, the 
Internet, extranet or intranet, leased lines, dial-up lines, private 
networks, and the physical movement of removable/transportable 
electronic storage media. Certain transmissions, including of paper, 
via facsimile, and of voice, via telephone, are not considered to be 
transmissions via electronic media if the information being exchanged 
did not exist in electronic form immediately before the transmission.
* * * * *
    Family member means, with respect to an individual:
    (1) A dependent (as such term is defined in 45 CFR 144.103), of the 
individual; or
    (2) Any other person who is a first-degree, second-degree, third-
degree, or fourth-degree relative of the individual or of a dependent 
of the individual. Relatives by affinity (such as by marriage or 
adoption) are treated the same as relatives by consanguinity (that is, 
relatives who share a common biological ancestor). In determining the 
degree of the relationship, relatives by less than full consanguinity 
(such as half-siblings, who share only one parent) are treated the same 
as relatives by full consanguinity (such as siblings who share both 
parents).
    (i) First-degree relatives include parents, spouses, siblings, and 
children.
    (ii) Second-degree relatives include grandparents, grandchildren, 
aunts, uncles, nephews, and nieces.
    (iii) Third-degree relatives include great-grandparents, great-
grandchildren, great aunts, great uncles, and first cousins.
    (iv) Fourth-degree relatives include great-great grandparents, 
great-great grandchildren, and children of first cousins.
    Genetic information means:
    (1) Subject to paragraphs (2) and (3) of this definition, with 
respect to an individual, information about:
    (i) The individual's genetic tests;
    (ii) The genetic tests of family members of the individual;

[[Page 5689]]

    (iii) The manifestation of a disease or disorder in family members 
of such individual; or
    (iv) Any request for, or receipt of, genetic services, or 
participation in clinical research which includes genetic services, by 
the individual or any family member of the individual.
    (2) Any reference in this subchapter to genetic information 
concerning an individual or family member of an individual shall 
include the genetic information of:
    (i) A fetus carried by the individual or family member who is a 
pregnant woman; and
    (ii) Any embryo legally held by an individual or family member 
utilizing an assisted reproductive technology.
    (3) Genetic information excludes information about the sex or age 
of any individual.
    Genetic services means:
    (1) A genetic test;
    (2) Genetic counseling (including obtaining, interpreting, or 
assessing genetic information); or
    (3) Genetic education.
    Genetic test means an analysis of human DNA, RNA, chromosomes, 
proteins, or metabolites, if the analysis detects genotypes, mutations, 
or chromosomal changes. Genetic test does not include an analysis of 
proteins or metabolites that is directly related to a manifested 
disease, disorder, or pathological condition.
* * * * *
    Health information means any information, including genetic 
information, whether oral or recorded in any form or medium, that: * * 
*
* * * * *
    Health plan means * * *
    (1) * * *
    (vi) The Voluntary Prescription Drug Benefit Program under Part D 
of title XVIII of the Act, 42 U.S.C. 1395w-101 through 1395w-152.
    (vii) An issuer of a Medicare supplemental policy (as defined in 
section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
    (viii) An issuer of a long-term care policy, excluding a nursing 
home fixed indemnity policy.
    (ix) An employee welfare benefit plan or any other arrangement that 
is established or maintained for the purpose of offering or providing 
health benefits to the employees of two or more employers.
    (x) The health care program for uniformed services under title 10 
of the United States Code.
    (xi) The veterans health care program under 38 U.S.C. chapter 17.
* * * * *
    (xv) The Medicare Advantage program under Part C of title XVIII of 
the Act, 42 U.S.C. 1395w-21 through 1395w-28.
* * * * *
    Manifestation or manifested means, with respect to a disease, 
disorder, or pathological condition, that an individual has been or 
could reasonably be diagnosed with the disease, disorder, or 
pathological condition by a health care professional with appropriate 
training and expertise in the field of medicine involved. For purposes 
of this subchapter, a disease, disorder, or pathological condition is 
not manifested if the diagnosis is based principally on genetic 
information.
* * * * *
    Protected health information * * *
    (2) Protected health information excludes individually identifiable 
health information:
    (i) In education records covered by the Family Educational Rights 
and Privacy Act, as amended, 20 U.S.C. 1232g;
    (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
    (iii) In employment records held by a covered entity in its role as 
employer; and
    (iv) Regarding a person who has been deceased for more than 50 
years.
* * * * *
    Respondent means a covered entity or business associate upon which 
the Secretary has imposed, or proposes to impose, a civil money 
penalty.
* * * * *
    Standard means a rule, condition, or requirement:
    (1) Describing the following information for products, systems, 
services, or practices:
    (i) Classification of components;
    (ii) Specification of materials, performance, or operations; or
    (iii) Delineation of procedures; or
    (2) With respect to the privacy of protected health information.
* * * * *
    State refers to one of the following:
    (1) For a health plan established or regulated by Federal law, 
State has the meaning set forth in the applicable section of the United 
States Code for such health plan.
    (2) For all other purposes, State means any of the several States, 
the District of Columbia, the Commonwealth of Puerto Rico, the Virgin 
Islands, Guam, American Samoa, and the Commonwealth of the Northern 
Mariana Islands.
    Subcontractor means a person to whom a business associate delegates 
a function, activity, or service, other than in the capacity of a 
member of the workforce of such business associate.
* * * * *
    Violation or violate means, as the context may require, failure to 
comply with an administrative simplification provision.
    Workforce means employees, volunteers, trainees, and other persons 
whose conduct, in the performance of work for a covered entity or 
business associate, is under the direct control of such covered entity 
or business associate, whether or not they are paid by the covered 
entity or business associate.

0
5. Add Sec.  160.105 to subpart A to read as follows:


Sec.  160.105  Compliance dates for implementation of new or modified 
standards and implementation specifications.

    Except as otherwise provided, with respect to rules that adopt new 
standards and implementation specifications or modifications to 
standards and implementation specifications in this subchapter in 
accordance with Sec.  160.104 that become effective after January 25, 
2013, covered entities and business associates must comply with the 
applicable new standards and implementation specifications, or 
modifications to standards and implementation specifications, no later 
than 180 days from the effective date of any such standards or 
implementation specifications.

0
6. Revise Sec.  160.201 to read as follows:


Sec.  160.201  Statutory basis.

    The provisions of this subpart implement section 1178 of the Act, 
section 262 of Public Law 104-191, section 264(c) of Public Law 104-
191, and section 13421(a) of Public Law 111-5.

0
7. In Sec.  160.202, revise the definition of ``Contrary'' and 
paragraph (1)(i) of the definition of ``More stringent'' to read as 
follows:


Sec.  160.202  Definitions.

* * * * *
    Contrary, when used to compare a provision of State law to a 
standard, requirement, or implementation specification adopted under 
this subchapter, means:
    (1) A covered entity or business associate would find it impossible 
to comply with both the State and Federal requirements; or
    (2) The provision of State law stands as an obstacle to the 
accomplishment and execution of the full purposes and objectives of 
part C of title XI of the Act,

[[Page 5690]]

section 264 of Public Law 104-191, or sections 13400-13424 of Public 
Law 111-5, as applicable.
    More stringent * * *
    (1) * * *
    (i) Required by the Secretary in connection with determining 
whether a covered entity or business associate is in compliance with 
this subchapter; or
* * * * *

0
8. Revise Sec.  160.300 to read as follows:


Sec.  160.300  Applicability.

    This subpart applies to actions by the Secretary, covered entities, 
business associates, and others with respect to ascertaining the 
compliance by covered entities and business associates with, and the 
enforcement of, the applicable provisions of this part 160 and parts 
162 and 164 of this subchapter.


Sec.  160.302  [Removed and Reserved]

0
9. Remove and reserve Sec.  160.302.

0
10. Revise Sec.  160.304 to read as follows:


Sec.  160.304  Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable and 
consistent with the provisions of this subpart, seek the cooperation of 
covered entities and business associates in obtaining compliance with 
the applicable administrative simplification provisions.
    (b) Assistance. The Secretary may provide technical assistance to 
covered entities and business associates to help them comply 
voluntarily with the applicable administrative simplification 
provisions.

0
11. In Sec.  160.306, revise paragraphs (a) and (c) to read as follows:


Sec.  160.306  Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes a covered 
entity or business associate is not complying with the administrative 
simplification provisions may file a complaint with the Secretary.
* * * * *
    (c) Investigation. (1) The Secretary will investigate any complaint 
filed under this section when a preliminary review of the facts 
indicates a possible violation due to willful neglect.
    (2) The Secretary may investigate any other complaint filed under 
this section.
    (3) An investigation under this section may include a review of the 
pertinent policies, procedures, or practices of the covered entity or 
business associate and of the circumstances regarding any alleged 
violation.
    (4) At the time of the initial written communication with the 
covered entity or business associate about the complaint, the Secretary 
will describe the acts and/or omissions that are the basis of the 
complaint.

0
12. Revise Sec.  160.308 to read as follows:


Sec.  160.308  Compliance reviews.

    (a) The Secretary will conduct a compliance review to determine 
whether a covered entity or business associate is complying with the 
applicable administrative simplification provisions when a preliminary 
review of the facts indicates a possible violation due to willful 
neglect.
    (b) The Secretary may conduct a compliance review to determine 
whether a covered entity or business associate is complying with the 
applicable administrative simplification provisions in any other 
circumstance.

0
13. Revise Sec.  160.310 to read as follows:


Sec.  160.310  Responsibilities of covered entities and business 
associates.

    (a) Provide records and compliance reports. A covered entity or 
business associate must keep such records and submit such compliance 
reports, in such time and manner and containing such information, as 
the Secretary may determine to be necessary to enable the Secretary to 
ascertain whether the covered entity or business associate has complied 
or is complying with the applicable administrative simplification 
provisions.
    (b) Cooperate with complaint investigations and compliance reviews. 
A covered entity or business associate must cooperate with the 
Secretary, if the Secretary undertakes an investigation or compliance 
review of the policies, procedures, or practices of the covered entity 
or business associate to determine whether it is complying with the 
applicable administrative simplification provisions.
    (c) Permit access to information. (1) A covered entity or business 
associate must permit access by the Secretary during normal business 
hours to its facilities, books, records, accounts, and other sources of 
information, including protected health information, that are pertinent 
to ascertaining compliance with the applicable administrative 
simplification provisions. If the Secretary determines that exigent 
circumstances exist, such as when documents may be hidden or destroyed, 
a covered entity or business associate must permit access by the 
Secretary at any time and without notice.
    (2) If any information required of a covered entity or business 
associate under this section is in the exclusive possession of any 
other agency, institution, or person and the other agency, institution, 
or person fails or refuses to furnish the information, the covered 
entity or business associate must so certify and set forth what efforts 
it has made to obtain the information.
    (3) Protected health information obtained by the Secretary in 
connection with an investigation or compliance review under this 
subpart will not be disclosed by the Secretary, except if necessary for 
ascertaining or enforcing compliance with the applicable administrative 
simplification provisions, if otherwise required by law, or if 
permitted under 5 U.S.C. 552a(b)(7).

0
14. Revise Sec.  160.312 to read as follows:


Sec.  160.312  Secretarial action regarding complaints and compliance 
reviews.

    (a) Resolution when noncompliance is indicated. (1) If an 
investigation of a complaint pursuant to Sec.  160.306 or a compliance 
review pursuant to Sec.  160.308 indicates noncompliance, the Secretary 
may attempt to reach a resolution of the matter satisfactory to the 
Secretary by informal means. Informal means may include demonstrated 
compliance or a completed corrective action plan or other agreement.
    (2) If the matter is resolved by informal means, the Secretary will 
so inform the covered entity or business associate and, if the matter 
arose from a complaint, the complainant, in writing.
    (3) If the matter is not resolved by informal means, the Secretary 
will--
    (i) So inform the covered entity or business associate and provide 
the covered entity or business associate an opportunity to submit 
written evidence of any mitigating factors or affirmative defenses for 
consideration under Sec. Sec.  160.408 and 160.410 of this part. The 
covered entity or business associate must submit any such evidence to 
the Secretary within 30 days (computed in the same manner as prescribed 
under Sec.  160.526 of this part) of receipt of such notification; and
    (ii) If, following action pursuant to paragraph (a)(3)(i) of this 
section, the Secretary finds that a civil money penalty should be 
imposed, inform the covered entity or business associate of such 
finding in a notice of proposed determination in accordance with Sec.  
160.420 of this part.
    (b) Resolution when no violation is found. If, after an 
investigation pursuant to Sec.  160.306 or a compliance review pursuant 
to Sec.  160.308, the Secretary determines that further action is not

[[Page 5691]]

warranted, the Secretary will so inform the covered entity or business 
associate and, if the matter arose from a complaint, the complainant, 
in writing.

0
15. In Sec.  160.316, revise the introductory text to read as follows:


Sec.  160.316  Refraining from intimidation or retaliation.

    A covered entity or business associate may not threaten, 
intimidate, coerce, harass, discriminate against, or take any other 
retaliatory action against any individual or other person for--
* * * * *

0
16. In Sec.  160.401, revise the definition of ``Reasonable cause'' to 
read as follows:


Sec.  160.401  Definitions.

* * * * *
    Reasonable cause means an act or omission in which a covered entity 
or business associate knew, or by exercising reasonable diligence would 
have known, that the act or omission violated an administrative 
simplification provision, but in which the covered entity or business 
associate did not act with willful neglect.
* * * * *

0
17. Revise Sec.  160.402 to read as follows:


Sec.  160.402  Basis for a civil money penalty.

    (a) General rule. Subject to Sec.  160.410, the Secretary will 
impose a civil money penalty upon a covered entity or business 
associate if the Secretary determines that the covered entity or 
business associate has violated an administrative simplification 
provision.
    (b) Violation by more than one covered entity or business 
associate. (1) Except as provided in paragraph (b)(2) of this section, 
if the Secretary determines that more than one covered entity or 
business associate was responsible for a violation, the Secretary will 
impose a civil money penalty against each such covered entity or 
business associate.
    (2) A covered entity that is a member of an affiliated covered 
entity, in accordance with Sec.  164.105(b) of this subchapter, is 
jointly and severally liable for a civil money penalty for a violation 
of part 164 of this subchapter based on an act or omission of the 
affiliated covered entity, unless it is established that another member 
of the affiliated covered entity was responsible for the violation.
    (c) Violation attributed to a covered entity or business associate. 
(1) A covered entity is liable, in accordance with the Federal common 
law of agency, for a civil money penalty for a violation based on the 
act or omission of any agent of the covered entity, including a 
workforce member or business associate, acting within the scope of the 
agency.
    (2) A business associate is liable, in accordance with the Federal 
common law of agency, for a civil money penalty for a violation based 
on the act or omission of any agent of the business associate, 
including a workforce member or subcontractor, acting within the scope 
of the agency.

0
18. In Sec.  160.404, revise the introductory text of paragraphs 
(b)(2)(i), (b)(2)(iii), and (b)(2)(iv) to read as follows:


Sec.  160.404  Amount of a civil money penalty.

* * * * *
    (b) * * *
    (2) * * *
    (i) For a violation in which it is established that the covered 
entity or business associate did not know and, by exercising reasonable 
diligence, would not have known that the covered entity or business 
associate violated such provision,
* * * * *
    (iii) For a violation in which it is established that the violation 
was due to willful neglect and was corrected during the 30-day period 
beginning on the first date the covered entity or business associate 
liable for the penalty knew, or, by exercising reasonable diligence, 
would have known that the violation occurred,
* * * * *
    (iv) For a violation in which it is established that the violation 
was due to willful neglect and was not corrected during the 30-day 
period beginning on the first date the covered entity or business 
associate liable for the penalty knew, or, by exercising reasonable 
diligence, would have known that the violation occurred,
* * * * *

0
19. Revise Sec.  160.406 to read as follows:


Sec.  160.406  Violations of an identical requirement or prohibition.

    The Secretary will determine the number of violations of an 
administrative simplification provision based on the nature of the 
covered entity's or business associate's obligation to act or not act 
under the provision that is violated, such as its obligation to act in 
a certain manner, or within a certain time, or to act or not act with 
respect to certain persons. In the case of continuing violation of a 
provision, a separate violation occurs each day the covered entity or 
business associate is in violation of the provision.

0
20. Revise Sec.  160.408 to read as follows:


Sec.  160.408  Factors considered in determining the amount of a civil 
money penalty.

    In determining the amount of any civil money penalty, the Secretary 
will consider the following factors, which may be mitigating or 
aggravating as appropriate:
    (a) The nature and extent of the violation, consideration of which 
may include but is not limited to:
    (1) The number of individuals affected; and
    (2) The time period during which the violation occurred;
    (b) The nature and extent of the harm resulting from the violation, 
consideration of which may include but is not limited to:
    (1) Whether the violation caused physical harm;
    (2) Whether the violation resulted in financial harm;
    (3) Whether the violation resulted in harm to an individual's 
reputation; and
    (4) Whether the violation hindered an individual's ability to 
obtain health care;
    (c) The history of prior compliance with the administrative 
simplification provisions, including violations, by the covered entity 
or business associate, consideration of which may include but is not 
limited to:
    (1) Whether the current violation is the same or similar to 
previous indications of noncompliance;
    (2) Whether and to what extent the covered entity or business 
associate has attempted to correct previous indications of 
noncompliance;
    (3) How the covered entity or business associate has responded to 
technical assistance from the Secretary provided in the context of a 
compliance effort; and
    (4) How the covered entity or business associate has responded to 
prior complaints;
    (d) The financial condition of the covered entity or business 
associate, consideration of which may include but is not limited to:
    (1) Whether the covered entity or business associate had financial 
difficulties that affected its ability to comply;
    (2) Whether the imposition of a civil money penalty would 
jeopardize the ability of the covered entity or business associate to 
continue to provide, or to pay for, health care; and
    (3) The size of the covered entity or business associate; and
    (e) Such other matters as justice may require.

[[Page 5692]]


0
21. Revise Sec.  160.410 to read as follows:


Sec.  160.410  Affirmative defenses.

    (a) The Secretary may not:
    (1) Prior to February 18, 2011, impose a civil money penalty on a 
covered entity or business associate for an act that violates an 
administrative simplification provision if the covered entity or 
business associate establishes that the violation is punishable under 
42 U.S.C. 1320d-6.
    (2) On or after February 18, 2011, impose a civil money penalty on 
a covered entity or business associate for an act that violates an 
administrative simplification provision if the covered entity or 
business associate establishes that a penalty has been imposed under 42 
U.S.C. 1320d-6 with respect to such act.
    (b) For violations occurring prior to February 18, 2009, the 
Secretary may not impose a civil money penalty on a covered entity for 
a violation if the covered entity establishes that an affirmative 
defense exists with respect to the violation, including the following:
    (1) The covered entity establishes, to the satisfaction of the 
Secretary, that it did not have knowledge of the violation, determined 
in accordance with the Federal common law of agency, and by exercising 
reasonable diligence, would not have known that the violation occurred; 
or
    (2) The violation is--
    (i) Due to circumstances that would make it unreasonable for the 
covered entity, despite the exercise of ordinary business care and 
prudence, to comply with the administrative simplification provision 
violated and is not due to willful neglect; and
    (ii) Corrected during either:
    (A) The 30-day period beginning on the first date the covered 
entity liable for the penalty knew, or by exercising reasonable 
diligence would have known, that the violation occurred; or
    (B) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply.
    (c) For violations occurring on or after February 18, 2009, the 
Secretary may not impose a civil money penalty on a covered entity or 
business associate for a violation if the covered entity or business 
associate establishes to the satisfaction of the Secretary that the 
violation is--
    (1) Not due to willful neglect; and
    (2) Corrected during either:
    (i) The 30-day period beginning on the first date the covered 
entity or business associate liable for the penalty knew, or, by 
exercising reasonable diligence, would have known that the violation 
occurred; or
    (ii) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply.

0
22. Revise Sec.  160.412 to read as follows:


Sec.  160.412  Waiver.

    For violations described in Sec.  160.410(b)(2) or (c) that are not 
corrected within the period specified under such paragraphs, the 
Secretary may waive the civil money penalty, in whole or in part, to 
the extent that the payment of the penalty would be excessive relative 
to the violation.

0
23. Revise Sec.  160.418 to read as follows:


Sec.  160.418  Penalty not exclusive.

    Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1) and 42 
U.S.C. 299b-22(f)(3), a penalty imposed under this part is in addition 
to any other penalty prescribed by law.

0
24. Amend Sec.  160.534 as follows:
0
a. Revise paragraph (b)(1)(iii);
0
b. Add paragraph (b)(1)(iv); and
0
c. Revise paragraph (b)(2).
    The revisions read as follows:


Sec.  160.534  The hearing.

* * * * *
    (b)(1) * * *
    (iii) Claim that a proposed penalty should be reduced or waived 
pursuant to Sec.  160.412 of this part; and
    (iv) Compliance with subpart D of part 164, as provided under Sec.  
164.414(b).
    (2) The Secretary has the burden of going forward and the burden of 
persuasion with respect to all other issues, including issues of 
liability other than with respect to subpart D of part 164, and the 
existence of any factors considered aggravating factors in determining 
the amount of the proposed penalty.
* * * * *

PART 164--SECURITY AND PRIVACY

0
25. The authority citation for part 164 is revised to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); and 
secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.

0
26. Revise Sec.  164.102 to read as follows:


Sec.  164.102  Statutory basis.

    The provisions of this part are adopted pursuant to the Secretary's 
authority to prescribe standards, requirements, and implementation 
specifications under part C of title XI of the Act, section 264 of 
Public Law 104-191, and sections 13400-13424 of Public Law 111-5.

0
27. In Sec.  164.104, revise paragraph (b) to read as follows:


Sec.  164.104  Applicability.

* * * * *
    (b) Where provided, the standards, requirements, and implementation 
specifications adopted under this part apply to a business associate.

0
28. Amend Sec.  164.105 as follows:
0
a. Revise the introductory text of paragraph (a)(1), the introductory 
text of paragraph (a)(2)(i), paragraph (a)(2)(ii), the introductory 
text of paragraph (a)(2)(iii), and paragraphs (a)(2)(iii)(A) and (B);
0
b. Redesignate paragraph (a)(2)(iii)(C) as paragraph (a)(2)(iii)(D) and 
add new paragraph (a)(2)(iii)(C);
0
c. Revise newly redesignated paragraph (a)(2)(iii)(D); and
0
d. Revise paragraph (b).
    The revisions read as follows:


Sec.  164.105  Organizational requirements.

    (a)(1) Standard: Health care component. If a covered entity is a 
hybrid entity, the requirements of this part, other than the 
requirements of this section, Sec.  164.314, and Sec.  164.504, apply 
only to the health care component(s) of the entity, as specified in 
this section.
    (2) * * *
    (i) Application of other provisions. In applying a provision of 
this part, other than the requirements of this section, Sec.  164.314, 
and Sec.  164.504, to a hybrid entity:
* * * * *
    (ii) Safeguard requirements. The covered entity that is a hybrid 
entity must ensure that a health care component of the entity complies 
with the applicable requirements of this part. In particular, and 
without limiting this requirement, such covered entity must ensure 
that:
    (A) Its health care component does not disclose protected health 
information to another component of the covered entity in circumstances 
in which subpart E of this part would prohibit such disclosure if the 
health care component and the other component were separate and 
distinct legal entities;
    (B) Its health care component protects electronic protected health 
information with respect to another component of the covered entity to 
the same extent that it would be required under subpart C of this part 
to protect such information if the health care

[[Page 5693]]

component and the other component were separate and distinct legal 
entities;
    (C) If a person performs duties for both the health care component 
in the capacity of a member of the workforce of such component and for 
another component of the entity in the same capacity with respect to 
that component, such workforce member must not use or disclose 
protected health information created or received in the course of or 
incident to the member's work for the health care component in a way 
prohibited by subpart E of this part.
    (iii) Responsibilities of the covered entity. A covered entity that 
is a hybrid entity has the following responsibilities:
    (A) For purposes of subpart C of part 160 of this subchapter, 
pertaining to compliance and enforcement, the covered entity has the 
responsibility of complying with this part.
    (B) The covered entity is responsible for complying with Sec.  
164.316(a) and Sec.  164.530(i), pertaining to the implementation of 
policies and procedures to ensure compliance with applicable 
requirements of this part, including the safeguard requirements in 
paragraph (a)(2)(ii) of this section.
    (C) The covered entity is responsible for complying with Sec.  
164.314 and Sec.  164.504 regarding business associate arrangements and 
other organizational requirements.
    (D) The covered entity is responsible for designating the 
components that are part of one or more health care components of the 
covered entity and documenting the designation in accordance with 
paragraph (c) of this section, provided that, if the covered entity 
designates one or more health care components, it must include any 
component that would meet the definition of a covered entity or 
business associate if it were a separate legal entity. Health care 
component(s) also may include a component only to the extent that it 
performs covered functions.
    (b)(1) Standard: Affiliated covered entities. Legally separate 
covered entities that are affiliated may designate themselves as a 
single covered entity for purposes of this part.
    (2) Implementation specifications.
    (i) Requirements for designation of an affiliated covered entity.
    (A) Legally separate covered entities may designate themselves 
(including any health care component of such covered entity) as a 
single affiliated covered entity, for purposes of this part, if all of 
the covered entities designated are under common ownership or control.
    (B) The designation of an affiliated covered entity must be 
documented and the documentation maintained as required by paragraph 
(c) of this section.
    (ii) Safeguard requirements. An affiliated covered entity must 
ensure that it complies with the applicable requirements of this part, 
including, if the affiliated covered entity combines the functions of a 
health plan, health care provider, or health care clearinghouse, Sec.  
164.308(a)(4)(ii)(A) and Sec.  164.504(g), as applicable.
* * * * *

0
29. Revise Sec.  164.106 to read as follows:


Sec.  164.106  Relationship to other parts.

    In complying with the requirements of this part, covered entities 
and, where provided, business associates, are required to comply with 
the applicable provisions of parts 160 and 162 of this subchapter.

0
30. The authority citation for subpart C of part 164 is revised to read 
as follows:

    Authority: 42 U.S.C. 1320d-2 and 1320d-4; sec. 13401, Pub. L. 
111-5, 123 Stat. 260.


0
31. Revise Sec.  164.302 to read as follows:


Sec.  164.302  Applicability.

    A covered entity or business associate must comply with the 
applicable standards, implementation specifications, and requirements 
of this subpart with respect to electronic protected health information 
of a covered entity.

0
32. In Sec.  164.304, revise the definitions of ``Administrative 
safeguards'' and ``Physical safeguards'' to read as follows:


Sec.  164.304  Definitions.

* * * * *
    Administrative safeguards are administrative actions, and policies 
and procedures, to manage the selection, development, implementation, 
and maintenance of security measures to protect electronic protected 
health information and to manage the conduct of the covered entity's or 
business associate's workforce in relation to the protection of that 
information.
* * * * *
    Physical safeguards are physical measures, policies, and procedures 
to protect a covered entity's or business associate's electronic 
information systems and related buildings and equipment, from natural 
and environmental hazards, and unauthorized intrusion.
* * * * *

0
33. Amend Sec.  164.306 as follows:
0
a. Revise the introductory text of paragraph (a) and paragraph (a)(1);
0
b. Revise paragraph (b)(1), the introductory text of paragraph (b)(2), 
and paragraphs (b)(2)(i) and (b)(2)(ii);
0
c. Revise paragraph (c);
0
d. Revise paragraph (d)(2), the introductory text of paragraph (d)(3), 
paragraph (d)(3)(i), and the introductory text of paragraph (d)(3)(ii); 
and
0
e. Revise paragraph (e).
    The revisions read as follows:


Sec.  164.306  Security standards: General rules.

    (a) General requirements. Covered entities and business associates 
must do the following:
    (1) Ensure the confidentiality, integrity, and availability of all 
electronic protected health information the covered entity or business 
associate creates, receives, maintains, or transmits.
* * * * *
    (b) * * *
    (1) Covered entities and business associates may use any security 
measures that allow the covered entity or business associate to 
reasonably and appropriately implement the standards and implementation 
specifications as specified in this subpart.
    (2) In deciding which security measures to use, a covered entity or 
business associate must take into account the following factors:
    (i) The size, complexity, and capabilities of the covered entity or 
business associate.
    (ii) The covered entity's or the business associate's technical 
infrastructure, hardware, and software security capabilities.
* * * * *
    (c) Standards. A covered entity or business associate must comply 
with the applicable standards as provided in this section and in Sec.  
164.308, Sec.  164.310, Sec.  164.312, Sec.  164.314 and Sec.  164.316 
with respect to all electronic protected health information.
    (d) * * *
    (2) When a standard adopted in Sec.  164.308, Sec.  164.310, Sec.  
164.312, Sec.  164.314, or Sec.  164.316 includes required 
implementation specifications, a covered entity or business associate 
must implement the implementation specifications.
    (3) When a standard adopted in Sec.  164.308, Sec.  164.310, Sec.  
164.312, Sec.  164.314, or Sec.  164.316 includes addressable 
implementation specifications, a covered entity or business associate 
must--
    (i) Assess whether each implementation specification is a

[[Page 5694]]

reasonable and appropriate safeguard in its environment, when analyzed 
with reference to the likely contribution to protecting electronic 
protected health information; and
    (ii) As applicable to the covered entity or business associate--
* * * * *
    (e) Maintenance. A covered entity or business associate must review 
and modify the security measures implemented under this subpart as 
needed to continue provision of reasonable and appropriate protection 
of electronic protected health information, and update documentation of 
such security measures in accordance with Sec.  164.316(b)(2)(iii).

0
34. Amend Sec.  164.308 as follows:
0
a. Revise the introductory text of paragraph (a), paragraph 
(a)(1)(ii)(A), paragraph (a)(1)(ii)(C), paragraph (a)(2), paragraph 
(a)(3)(ii)(C), paragraph (a)(4)(ii)(C), paragraph (a)(6)(ii), and 
paragraph (a)(8); and
0
b. Revise paragraph (b).
    The revisions read as follows:


Sec.  164.308  Administrative safeguards.

    (a) A covered entity or business associate must, in accordance with 
Sec.  164.306:
    (1) * * *
    (ii) * * *
    (A) Risk analysis (Required). Conduct an accurate and thorough 
assessment of the potential risks and vulnerabilities to the 
confidentiality, integrity, and availability of electronic protected 
health information held by the covered entity or business associate.
* * * * *
    (C) Sanction policy (Required). Apply appropriate sanctions against 
workforce members who fail to comply with the security policies and 
procedures of the covered entity or business associate.
* * * * *
    (2) Standard: Assigned security responsibility. Identify the 
security official who is responsible for the development and 
implementation of the policies and procedures required by this subpart 
for the covered entity or business associate.
    (3) * * *
    (ii) * * *
    (C) Termination procedures (Addressable). Implement procedures for 
terminating access to electronic protected health information when the 
employment of, or other arrangement with, a workforce member ends or as 
required by determinations made as specified in paragraph (a)(3)(ii)(B) 
of this section.
    (4) * * *
    (ii) * * *
    (C) Access establishment and modification (Addressable). Implement 
policies and procedures that, based upon the covered entity's or the 
business associate's access authorization policies, establish, 
document, review, and modify a user's right of access to a workstation, 
transaction, program, or process.
* * * * *
    (6) * * *
    (ii) Implementation specification: Response and reporting 
(Required). Identify and respond to suspected or known security 
incidents; mitigate, to the extent practicable, harmful effects of 
security incidents that are known to the covered entity or business 
associate; and document security incidents and their outcomes.
* * * * *
    (8) Standard: Evaluation. Perform a periodic technical and 
nontechnical evaluation, based initially upon the standards implemented 
under this rule and, subsequently, in response to environmental or 
operational changes affecting the security of electronic protected 
health information, that establishes the extent to which a covered 
entity's or business associate's security policies and procedures meet 
the requirements of this subpart.
    (b)(1) Business associate contracts and other arrangements. A 
covered entity may permit a business associate to create, receive, 
maintain, or transmit electronic protected health information on the 
covered entity's behalf only if the covered entity obtains satisfactory 
assurances, in accordance with Sec.  164.314(a), that the business 
associate will appropriately safeguard the information. A covered 
entity is not required to obtain such satisfactory assurances from a 
business associate that is a subcontractor.
    (2) A business associate may permit a business associate that is a 
subcontractor to create, receive, maintain, or transmit electronic 
protected health information on its behalf only if the business 
associate obtains satisfactory assurances, in accordance with Sec.  
164.314(a), that the subcontractor will appropriately safeguard the 
information.
    (3) Implementation specifications: Written contract or other 
arrangement (Required). Document the satisfactory assurances required 
by paragraph (b)(1) or (b)(2) of this section through a written 
contract or other arrangement with the business associate that meets 
the applicable requirements of Sec.  164.314(a).

0
35. Revise the introductory text of Sec.  164.310 to read as follows:


Sec.  164.310  Physical safeguards.

    A covered entity or business associate must, in accordance with 
Sec.  164.306:
* * * * *

0
36. Revise the introductory text of Sec.  164.312 to read as follows:


Sec.  164.312  Technical safeguards.

    A covered entity or business associate must, in accordance with 
Sec.  164.306:
* * * * *

0
37. Amend Sec.  164.314 by revising paragraphs (a) and (b)(2)(iii) to 
read as follows:


Sec.  164.314  Organizational requirements.

    (a)(1) Standard: Business associate contracts or other 
arrangements. The contract or other arrangement required by Sec.  
164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), 
(a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
    (2) Implementation specifications (Required).
    (i) Business associate contracts. The contract must provide that 
the business associate will--
    (A) Comply with the applicable requirements of this subpart;
    (B) In accordance with Sec.  164.308(b)(2), ensure that any 
subcontractors that create, receive, maintain, or transmit electronic 
protected health information on behalf of the business associate agree 
to comply with the applicable requirements of this subpart by entering 
into a contract or other arrangement that complies with this section; 
and
    (C) Report to the covered entity any security incident of which it 
becomes aware, including breaches of unsecured protected health 
information as required by Sec.  164.410.
    (ii) Other arrangements. The covered entity is in compliance with 
paragraph (a)(1) of this section if it has another arrangement in place 
that meets the requirements of Sec.  164.504(e)(3).
    (iii) Business associate contracts with subcontractors. The 
requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section 
apply to the contract or other arrangement between a business associate 
and a subcontractor required by Sec.  164.308(b)(4) in the same manner 
as such requirements apply to contracts or other arrangements between a 
covered entity and business associate.
    (b) * * *
    (2) * * *
    (iii) Ensure that any agent to whom it provides this information 
agrees to implement reasonable and appropriate security measures to 
protect the information; and
* * * * *

[[Page 5695]]


0
38. Revise the introductory text of Sec.  164.316 and the third 
sentence of paragraph (a) to read as follows:


Sec.  164.316  Policies and procedures and documentation requirements.

    A covered entity or business associate must, in accordance with 
Sec.  164.306:
    (a) * * * A covered entity or business associate may change its 
policies and procedures at any time, provided that the changes are 
documented and are implemented in accordance with this subpart.
* * * * *

0
39. Revise Sec.  164.402 to read as follows:


Sec.  164.402  Definitions.

    As used in this subpart, the following terms have the following 
meanings:
    Breach means the acquisition, access, use, or disclosure of 
protected health information in a manner not permitted under subpart E 
of this part which compromises the security or privacy of the protected 
health information.
    (1) Breach excludes:
    (i) Any unintentional acquisition, access, or use of protected 
health information by a workforce member or person acting under the 
authority of a covered entity or a business associate, if such 
acquisition, access, or use was made in good faith and within the scope 
of authority and does not result in further use or disclosure in a 
manner not permitted under subpart E of this part.
    (ii) Any inadvertent disclosure by a person who is authorized to 
access protected health information at a covered entity or business 
associate to another person authorized to access protected health 
information at the same covered entity or business associate, or 
organized health care arrangement in which the covered entity 
participates, and the information received as a result of such 
disclosure is not further used or disclosed in a manner not permitted 
under subpart E of this part.
    (iii) A disclosure of protected health information where a covered 
entity or business associate has a good faith belief that an 
unauthorized person to whom the disclosure was made would not 
reasonably have been able to retain such information.
    (2) Except as provided in paragraph (1) of this definition, an 
acquisition, access, use, or disclosure of protected health information 
in a manner not permitted under subpart E is presumed to be a breach 
unless the covered entity or business associate, as applicable, 
demonstrates that there is a low probability that the protected health 
information has been compromised based on a risk assessment of at least 
the following factors:
    (i) The nature and extent of the protected health information 
involved, including the types of identifiers and the likelihood of re-
identification;
    (ii) The unauthorized person who used the protected health 
information or to whom the disclosure was made;
    (iii) Whether the protected health information was actually 
acquired or viewed; and
    (iv) The extent to which the risk to the protected health 
information has been mitigated.
    Unsecured protected health information means protected health 
information that is not rendered unusable, unreadable, or 
indecipherable to unauthorized persons through the use of a technology 
or methodology specified by the Secretary in the guidance issued under 
section 13402(h)(2) of Public Law 111-5.

0
40. In Sec.  164.406, revise paragraph (a) to read as follows:


Sec.  164.406  Notification to the media.

    (a) Standard. For a breach of unsecured protected health 
information involving more than 500 residents of a State or 
jurisdiction, a covered entity shall, following the discovery of the 
breach as provided in Sec.  164.404(a)(2), notify prominent media 
outlets serving the State or jurisdiction.
* * * * *

0
41. In Sec.  164.408, revise paragraph (c) to read as follows:


Sec.  164.408  Notification to the Secretary.

* * * * *
    (c) Implementation specifications: Breaches involving less than 500 
individuals. For breaches of unsecured protected health information 
involving less than 500 individuals, a covered entity shall maintain a 
log or other documentation of such breaches and, not later than 60 days 
after the end of each calendar year, provide the notification required 
by paragraph (a) of this section for breaches discovered during the 
preceding calendar year, in the manner specified on the HHS web site.

0
42. In Sec.  164.410, revise paragraph (a) to read as follows:


Sec.  164.410  Notification by a business associate.

    (a) Standard--(1) General rule. A business associate shall, 
following the discovery of a breach of unsecured protected health 
information, notify the covered entity of such breach.
    (2) Breaches treated as discovered. For purposes of paragraph 
(a)(1) of this section, a breach shall be treated as discovered by a 
business associate as of the first day on which such breach is known to 
the business associate or, by exercising reasonable diligence, would 
have been known to the business associate. A business associate shall 
be deemed to have knowledge of a breach if the breach is known, or by 
exercising reasonable diligence would have been known, to any person, 
other than the person committing the breach, who is an employee, 
officer, or other agent of the business associate (determined in 
accordance with the Federal common law of agency).
* * * * *

0
43. The authority citation for subpart E of part 164 is revised to read 
as follows:

    Authority: 42 U.S.C. 1320d-2, 1320d-4, and 1320d-9; sec. 264 of 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); and 
secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.


0
44. In Sec.  164.500, redesignate paragraph (c) as paragraph (d) and 
add new paragraph (c) to read as follows:


Sec.  164.500  Applicability.

* * * * *
    (c) Where provided, the standards, requirements, and implementation 
specifications adopted under this subpart apply to a business associate 
with respect to the protected health information of a covered entity.
* * * * *

0
45. Amend Sec.  164.501 as follows:
0
a. Revise paragraphs (1) and (3) of the definition of ``Health care 
operations'';
0
b. Revise the definition of ``Marketing''; and
0
c. Revise paragraph (1)(i) of the definition of ``Payment''.
    The revisions read as follows:


Sec.  164.501  Definitions.

* * * * *
    Health care operations means * * *
    (1) Conducting quality assessment and improvement activities, 
including outcomes evaluation and development of clinical guidelines, 
provided that the obtaining of generalizable knowledge is not the 
primary purpose of any studies resulting from such activities; patient 
safety activities (as defined in 42 CFR 3.20); population-based 
activities relating to improving health or reducing health care costs, 
protocol development, case management and care coordination, contacting 
of health care providers and patients with information about treatment 
alternatives; and related functions that do not include treatment;
* * * * *
    (3) Except as prohibited under Sec.  164.502(a)(5)(i), 
underwriting,

[[Page 5696]]

enrollment, premium rating, and other activities related to the 
creation, renewal, or replacement of a contract of health insurance or 
health benefits, and ceding, securing, or placing a contract for 
reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess of loss insurance), provided that the 
requirements of Sec.  164.514(g) are met, if applicable;
* * * * *
    Marketing: (1) Except as provided in paragraph (2) of this 
definition, marketing means to make a communication about a product or 
service that encourages recipients of the communication to purchase or 
use the product or service.
    (2) Marketing does not include a communication made:
    (i) To provide refill reminders or otherwise communicate about a 
drug or biologic that is currently being prescribed for the individual, 
only if any financial remuneration received by the covered entity in 
exchange for making the communication is reasonably related to the 
covered entity's cost of making the communication.
    (ii) For the following treatment and health care operations 
purposes, except where the covered entity receives financial 
remuneration in exchange for making the communication:
    (A) For treatment of an individual by a health care provider, 
including case management or care coordination for the individual, or 
to direct or recommend alternative treatments, therapies, health care 
providers, or settings of care to the individual;
    (B) To describe a health-related product or service (or payment for 
such product or service) that is provided by, or included in a plan of 
benefits of, the covered entity making the communication, including 
communications about: the entities participating in a health care 
provider network or health plan network; replacement of, or 
enhancements to, a health plan; and health-related products or services 
available only to a health plan enrollee that add value to, but are not 
part of, a plan of benefits; or
    (C) For case management or care coordination, contacting of 
individuals with information about treatment alternatives, and related 
functions to the extent these activities do not fall within the 
definition of treatment.
    (3) Financial remuneration means direct or indirect payment from or 
on behalf of a third party whose product or service is being described. 
Direct or indirect payment does not include any payment for treatment 
of an individual.
    Payment means:
    (1) * * *
    (i) Except as prohibited under Sec.  164.502(a)(5)(i), a health 
plan to obtain premiums or to determine or fulfill its responsibility 
for coverage and provision of benefits under the health plan; or
* * * * *

0
46. In Sec.  164.502, revise paragraphs (a), (b)(1), (e), and (f) to 
read as follows:


Sec.  164.502  Uses and disclosures of protected health information: 
General rules.

    (a) Standard. A covered entity or business associate may not use or 
disclose protected health information, except as permitted or required 
by this subpart or by subpart C of part 160 of this subchapter.
    (1) Covered entities: Permitted uses and disclosures. A covered 
entity is permitted to use or disclose protected health information as 
follows:
    (i) To the individual;
    (ii) For treatment, payment, or health care operations, as 
permitted by and in compliance with Sec.  164.506;
    (iii) Incident to a use or disclosure otherwise permitted or 
required by this subpart, provided that the covered entity has complied 
with the applicable requirements of Sec. Sec.  164.502(b), 164.514(d), 
and 164.530(c) with respect to such otherwise permitted or required use 
or disclosure;
    (iv) Except for uses and disclosures prohibited under Sec.  
164.502(a)(5)(i), pursuant to and in compliance with a valid 
authorization under Sec.  164.508;
    (v) Pursuant to an agreement under, or as otherwise permitted by, 
Sec.  164.510; and
    (vi) As permitted by and in compliance with this section, Sec.  
164.512, Sec.  164.514(e), (f), or (g).
    (2) Covered entities: Required disclosures. A covered entity is 
required to disclose protected health information:
    (i) To an individual, when requested under, and required by Sec.  
164.524 or Sec.  164.528; and
    (ii) When required by the Secretary under subpart C of part 160 of 
this subchapter to investigate or determine the covered entity's 
compliance with this subchapter.
    (3) Business associates: Permitted uses and disclosures. A business 
associate may use or disclose protected health information only as 
permitted or required by its business associate contract or other 
arrangement pursuant to Sec.  164.504(e) or as required by law. The 
business associate may not use or disclose protected health information 
in a manner that would violate the requirements of this subpart, if 
done by the covered entity, except for the purposes specified under 
Sec.  164.504(e)(2)(i)(A) or (B) if such uses or disclosures are 
permitted by its contract or other arrangement.
    (4) Business associates: Required uses and disclosures. A business 
associate is required to disclose protected health information:
    (i) When required by the Secretary under subpart C of part 160 of 
this subchapter to investigate or determine the business associate's 
compliance with this subchapter.
    (ii) To the covered entity, individual, or individual's designee, 
as necessary to satisfy a covered entity's obligations under Sec.  
164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request 
for an electronic copy of protected health information.
    (5) Prohibited uses and disclosures.
    (i) Use and disclosure of genetic information for underwriting 
purposes: Notwithstanding any other provision of this subpart, a health 
plan, excluding an issuer of a long-term care policy falling within 
paragraph (1)(viii) of the definition of health plan, shall not use or 
disclose protected health information that is genetic information for 
underwriting purposes. For purposes of paragraph (a)(5)(i) of this 
section, underwriting purposes means, with respect to a health plan:
    (A) Except as provided in paragraph (a)(5)(i)(B) of this section:
    (1) Rules for, or determination of, eligibility (including 
enrollment and continued eligibility) for, or determination of, 
benefits under the plan, coverage, or policy (including changes in 
deductibles or other cost-sharing mechanisms in return for activities 
such as completing a health risk assessment or participating in a 
wellness program);
    (2) The computation of premium or contribution amounts under the 
plan, coverage, or policy (including discounts, rebates, payments in 
kind, or other premium differential mechanisms in return for activities 
such as completing a health risk assessment or participating in a 
wellness program);
    (3) The application of any pre-existing condition exclusion under 
the plan, coverage, or policy; and
    (4) Other activities related to the creation, renewal, or 
replacement of a contract of health insurance or health benefits.
    (B) Underwriting purposes does not include determinations of 
medical appropriateness where an individual seeks a benefit under the 
plan, coverage, or policy.
    (ii) Sale of protected health information:

[[Page 5697]]

    (A) Except pursuant to and in compliance with Sec.  164.508(a)(4), 
a covered entity or business associate may not sell protected health 
information.
    (B) For purposes of this paragraph, sale of protected health 
information means:
    (1) Except as provided in paragraph (a)(5)(ii)(B)(2) of this 
section, a disclosure of protected health information by a covered 
entity or business associate, if applicable, where the covered entity 
or business associate directly or indirectly receives remuneration from 
or on behalf of the recipient of the protected health information in 
exchange for the protected health information.
    (2) Sale of protected health information does not include a 
disclosure of protected health information:
    (i) For public health purposes pursuant to Sec.  164.512(b) or 
Sec.  164.514(e);
    (ii) For research purposes pursuant to Sec.  164.512(i) or Sec.  
164.514(e), where the only remuneration received by the covered entity 
or business associate is a reasonable cost-based fee to cover the cost 
to prepare and transmit the protected health information for such 
purposes;
    (iii) For treatment and payment purposes pursuant to Sec.  
164.506(a);
    (iv) For the sale, transfer, merger, or consolidation of all or 
part of the covered entity and for related due diligence as described 
in paragraph (6)(iv) of the definition of health care operations and 
pursuant to Sec.  164.506(a);
    (v) To or by a business associate for activities that the business 
associate undertakes on behalf of a covered entity, or on behalf of a 
business associate in the case of a subcontractor, pursuant to 
Sec. Sec.  164.502(e) and 164.504(e), and the only remuneration 
provided is by the covered entity to the business associate, or by the 
business associate to the subcontractor, if applicable, for the 
performance of such activities;
    (vi) To an individual, when requested under Sec.  164.524 or Sec.  
164.528;
    (vii) Required by law as permitted under Sec.  164.512(a); and
    (viii) For any other purpose permitted by and in accordance with 
the applicable requirements of this subpart, where the only 
remuneration received by the covered entity or business associate is a 
reasonable, cost-based fee to cover the cost to prepare and transmit 
the protected health information for such purpose or a fee otherwise 
expressly permitted by other law.
    (b) * * *
    (1) Minimum necessary applies. When using or disclosing protected 
health information or when requesting protected health information from 
another covered entity or business associate, a covered entity or 
business associate must make reasonable efforts to limit protected 
health information to the minimum necessary to accomplish the intended 
purpose of the use, disclosure, or request.
* * * * *
    (e)(1) Standard: Disclosures to business associates. (i) A covered 
entity may disclose protected health information to a business 
associate and may allow a business associate to create, receive, 
maintain, or transmit protected health information on its behalf, if 
the covered entity obtains satisfactory assurance that the business 
associate will appropriately safeguard the information. A covered 
entity is not required to obtain such satisfactory assurances from a 
business associate that is a subcontractor.
    (ii) A business associate may disclose protected health information 
to a business associate that is a subcontractor and may allow the 
subcontractor to create, receive, maintain, or transmit protected 
health information on its behalf, if the business associate obtains 
satisfactory assurances, in accordance with Sec.  164.504(e)(1)(i), 
that the subcontractor will appropriately safeguard the information.
    (2) Implementation specification: Documentation. The satisfactory 
assurances required by paragraph (e)(1) of this section must be 
documented through a written contract or other written agreement or 
arrangement with the business associate that meets the applicable 
requirements of Sec.  164.504(e).
    (f) Standard: Deceased individuals. A covered entity must comply 
with the requirements of this subpart with respect to the protected 
health information of a deceased individual for a period of 50 years 
following the death of the individual.
* * * * *

0
47. In Sec.  164.504, revise paragraphs (e), (f)(1)(ii) introductory 
text, and (f)(2)(ii)(B) to read as follows:


Sec.  164.504  Uses and disclosures: Organizational requirements.

* * * * *
    (e)(1) Standard: Business associate contracts. (i) The contract or 
other arrangement required by Sec.  164.502(e)(2) must meet the 
requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as 
applicable.
    (ii) A covered entity is not in compliance with the standards in 
Sec.  164.502(e) and this paragraph, if the covered entity knew of a 
pattern of activity or practice of the business associate that 
constituted a material breach or violation of the business associate's 
obligation under the contract or other arrangement, unless the covered 
entity took reasonable steps to cure the breach or end the violation, 
as applicable, and, if such steps were unsuccessful, terminated the 
contract or arrangement, if feasible.
    (iii) A business associate is not in compliance with the standards 
in Sec.  164.502(e) and this paragraph, if the business associate knew 
of a pattern of activity or practice of a subcontractor that 
constituted a material breach or violation of the subcontractor's 
obligation under the contract or other arrangement, unless the business 
associate took reasonable steps to cure the breach or end the 
violation, as applicable, and, if such steps were unsuccessful, 
terminated the contract or arrangement, if feasible.
    (2) Implementation specifications: Business associate contracts. A 
contract between the covered entity and a business associate must:
    (i) Establish the permitted and required uses and disclosures of 
protected health information by the business associate. The contract 
may not authorize the business associate to use or further disclose the 
information in a manner that would violate the requirements of this 
subpart, if done by the covered entity, except that:
    (A) The contract may permit the business associate to use and 
disclose protected health information for the proper management and 
administration of the business associate, as provided in paragraph 
(e)(4) of this section; and
    (B) The contract may permit the business associate to provide data 
aggregation services relating to the health care operations of the 
covered entity.
    (ii) Provide that the business associate will:
    (A) Not use or further disclose the information other than as 
permitted or required by the contract or as required by law;
    (B) Use appropriate safeguards and comply, where applicable, with 
subpart C of this part with respect to electronic protected health 
information, to prevent use or disclosure of the information other than 
as provided for by its contract;
    (C) Report to the covered entity any use or disclosure of the 
information not provided for by its contract of which it becomes aware, 
including breaches of unsecured protected health information as 
required by Sec.  164.410;
    (D) In accordance with Sec.  164.502(e)(1)(ii), ensure that any

[[Page 5698]]

subcontractors that create, receive, maintain, or transmit protected 
health information on behalf of the business associate agree to the 
same restrictions and conditions that apply to the business associate 
with respect to such information;
    (E) Make available protected health information in accordance with 
Sec.  164.524;
    (F) Make available protected health information for amendment and 
incorporate any amendments to protected health information in 
accordance with Sec.  164.526;
    (G) Make available the information required to provide an 
accounting of disclosures in accordance with Sec.  164.528;
    (H) To the extent the business associate is to carry out a covered 
entity's obligation under this subpart, comply with the requirements of 
this subpart that apply to the covered entity in the performance of 
such obligation.
    (I) Make its internal practices, books, and records relating to the 
use and disclosure of protected health information received from, or 
created or received by the business associate on behalf of, the covered 
entity available to the Secretary for purposes of determining the 
covered entity's compliance with this subpart; and
    (J) At termination of the contract, if feasible, return or destroy 
all protected health information received from, or created or received 
by the business associate on behalf of, the covered entity that the 
business associate still maintains in any form and retain no copies of 
such information or, if such return or destruction is not feasible, 
extend the protections of the contract to the information and limit 
further uses and disclosures to those purposes that make the return or 
destruction of the information infeasible.
    (iii) Authorize termination of the contract by the covered entity, 
if the covered entity determines that the business associate has 
violated a material term of the contract.
    (3) Implementation specifications: Other arrangements. (i) If a 
covered entity and its business associate are both governmental 
entities:
    (A) The covered entity may comply with this paragraph and Sec.  
164.314(a)(1), if applicable, by entering into a memorandum of 
understanding with the business associate that contains terms that 
accomplish the objectives of paragraph (e)(2) of this section and Sec.  
164.314(a)(2), if applicable.
    (B) The covered entity may comply with this paragraph and Sec.  
164.314(a)(1), if applicable, if other law (including regulations 
adopted by the covered entity or its business associate) contains 
requirements applicable to the business associate that accomplish the 
objectives of paragraph (e)(2) of this section and Sec.  164.314(a)(2), 
if applicable.
    (ii) If a business associate is required by law to perform a 
function or activity on behalf of a covered entity or to provide a 
service described in the definition of business associate in Sec.  
160.103 of this subchapter to a covered entity, such covered entity may 
disclose protected health information to the business associate to the 
extent necessary to comply with the legal mandate without meeting the 
requirements of this paragraph and Sec.  164.314(a)(1), if applicable, 
provided that the covered entity attempts in good faith to obtain 
satisfactory assurances as required by paragraph (e)(2) of this section 
and Sec.  164.314(a)(1), if applicable, and, if such attempt fails, 
documents the attempt and the reasons that such assurances cannot be 
obtained.
    (iii) The covered entity may omit from its other arrangements the 
termination authorization required by paragraph (e)(2)(iii) of this 
section, if such authorization is inconsistent with the statutory 
obligations of the covered entity or its business associate.
    (iv) A covered entity may comply with this paragraph and Sec.  
164.314(a)(1) if the covered entity discloses only a limited data set 
to a business associate for the business associate to carry out a 
health care operations function and the covered entity has a data use 
agreement with the business associate that complies with Sec.  
164.514(e)(4) and Sec.  164.314(a)(1), if applicable.
    (4) Implementation specifications: Other requirements for contracts 
and other arrangements. (i) The contract or other arrangement between 
the covered entity and the business associate may permit the business 
associate to use the protected health information received by the 
business associate in its capacity as a business associate to the 
covered entity, if necessary:
    (A) For the proper management and administration of the business 
associate; or
    (B) To carry out the legal responsibilities of the business 
associate.
    (ii) The contract or other arrangement between the covered entity 
and the business associate may permit the business associate to 
disclose the protected health information received by the business 
associate in its capacity as a business associate for the purposes 
described in paragraph (e)(4)(i) of this section, if:
    (A) The disclosure is required by law; or
    (B)(1) The business associate obtains reasonable assurances from 
the person to whom the information is disclosed that it will be held 
confidentially and used or further disclosed only as required by law or 
for the purposes for which it was disclosed to the person; and
    (2) The person notifies the business associate of any instances of 
which it is aware in which the confidentiality of the information has 
been breached.
    (5) Implementation specifications: Business associate contracts 
with subcontractors. The requirements of Sec.  164.504(e)(2) through 
(e)(4) apply to the contract or other arrangement required by Sec.  
164.502(e)(1)(ii) between a business associate and a business associate 
that is a subcontractor in the same manner as such requirements apply 
to contracts or other arrangements between a covered entity and 
business associate.
    (f)(1)* * *
    (ii) Except as prohibited by Sec.  164.502(a)(5)(i), the group 
health plan, or a health insurance issuer or HMO with respect to the 
group health plan, may disclose summary health information to the plan 
sponsor, if the plan sponsor requests the summary health information 
for purposes of:
* * * * *
    (2) * * *
    (ii) * * *
    (B) Ensure that any agents to whom it provides protected health 
information received from the group health plan agree to the same 
restrictions and conditions that apply to the plan sponsor with respect 
to such information;
* * * * *

0
48. In Sec.  164.506, revise paragraphs (a) and (c)(5) to read as 
follows:


Sec.  164.506  Uses and disclosures to carry out treatment, payment, or 
health care operations.

    (a) Standard: Permitted uses and disclosures. Except with respect 
to uses or disclosures that require an authorization under Sec.  
164.508(a)(2) through (4) or that are prohibited under Sec.  
164.502(a)(5)(i), a covered entity may use or disclose protected health 
information for treatment, payment, or health care operations as set 
forth in paragraph (c) of this section, provided that such use or 
disclosure is consistent with other applicable requirements of this 
subpart.
* * * * *
    (c) * * *
    (5) A covered entity that participates in an organized health care 
arrangement

[[Page 5699]]

may disclose protected health information about an individual to other 
participants in the organized health care arrangement for any health 
care operations activities of the organized health care arrangement.

0
49. Amend Sec.  164.508 as follows:
0
a. Revise the headings of paragraphs (a), (a)(1), and (a)(2);
0
b. Revise paragraph (a)(3)(ii);
0
c. Add new paragraph (a)(4); and
0
d. Revise paragraphs (b)(1)(i), and (b)(3).
    The revisions and additions read as follows:


Sec.  164.508  Uses and disclosures for which an authorization is 
required.

    (a) Standard: Authorizations for uses and disclosures--(1) 
Authorization required: General rule. * * *
    (2) Authorization required: Psychotherapy notes. * * *
    (3) * * *
    (ii) If the marketing involves financial remuneration, as defined 
in paragraph (3) of the definition of marketing at Sec.  164.501, to 
the covered entity from a third party, the authorization must state 
that such remuneration is involved.
    (4) Authorization required: Sale of protected health information.
    (i) Notwithstanding any provision of this subpart, other than the 
transition provisions in Sec.  164.532, a covered entity must obtain an 
authorization for any disclosure of protected health information which 
is a sale of protected health information, as defined in Sec.  164.501 
of this subpart. (ii) Such authorization must state that the disclosure 
will result in remuneration to the covered entity.
    (b) * * *
    (1) * * *
    (i) A valid authorization is a document that meets the requirements 
in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this 
section, as applicable.
* * * * *
    (3) Compound authorizations. An authorization for use or disclosure 
of protected health information may not be combined with any other 
document to create a compound authorization, except as follows:
    (i) An authorization for the use or disclosure of protected health 
information for a research study may be combined with any other type of 
written permission for the same or another research study. This 
exception includes combining an authorization for the use or disclosure 
of protected health information for a research study with another 
authorization for the same research study, with an authorization for 
the creation or maintenance of a research database or repository, or 
with a consent to participate in research. Where a covered health care 
provider has conditioned the provision of research-related treatment on 
the provision of one of the authorizations, as permitted under 
paragraph (b)(4)(i) of this section, any compound authorization created 
under this paragraph must clearly differentiate between the conditioned 
and unconditioned components and provide the individual with an 
opportunity to opt in to the research activities described in the 
unconditioned authorization.
    (ii) An authorization for a use or disclosure of psychotherapy 
notes may only be combined with another authorization for a use or 
disclosure of psychotherapy notes.
    (iii) An authorization under this section, other than an 
authorization for a use or disclosure of psychotherapy notes, may be 
combined with any other such authorization under this section, except 
when a covered entity has conditioned the provision of treatment, 
payment, enrollment in the health plan, or eligibility for benefits 
under paragraph (b)(4) of this section on the provision of one of the 
authorizations. The prohibition in this paragraph on combining 
authorizations where one authorization conditions the provision of 
treatment, payment, enrollment in a health plan, or eligibility for 
benefits under paragraph (b)(4) of this section does not apply to a 
compound authorization created in accordance with paragraph (b)(3)(i) 
of this section.
* * * * *

0
50. Amend Sec.  164.510 as follows:
0
a. Revise paragraph (a)(1)(ii) introductory text;
0
b. Revise paragraph (b)(1)(i), the second sentence of paragraph 
(b)(1)(ii), paragraph (b)(2)(iii), the first sentence of paragraph 
(b)(3), and paragraph (b)(4); and
0
c. Add new paragraph (b)(5).
    The revisions and additions read as follows:


Sec.  164.510  Uses and disclosures requiring an opportunity for the 
individual to agree or to object.

* * * * *
    (a) * * *
    (1) * * *
    (ii) Use or disclose for directory purposes such information:
* * * * *
    (b) * * *
    (1) * * *
    (i) A covered entity may, in accordance with paragraphs (b)(2), 
(b)(3), or (b)(5) of this section, disclose to a family member, other 
relative, or a close personal friend of the individual, or any other 
person identified by the individual, the protected health information 
directly relevant to such person's involvement with the individual's 
health care or payment related to the individual's health care.
    (ii) * * * Any such use or disclosure of protected health 
information for such notification purposes must be in accordance with 
paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as 
applicable.
* * * * *
    (2) * * *
    (iii) Reasonably infers from the circumstances, based on the 
exercise of professional judgment, that the individual does not object 
to the disclosure.
    (3) * * * If the individual is not present, or the opportunity to 
agree or object to the use or disclosure cannot practicably be provided 
because of the individual's incapacity or an emergency circumstance, 
the covered entity may, in the exercise of professional judgment, 
determine whether the disclosure is in the best interests of the 
individual and, if so, disclose only the protected health information 
that is directly relevant to the person's involvement with the 
individual's care or payment related to the individual's health care or 
needed for notification purposes. * * *
    (4) Uses and disclosures for disaster relief purposes. A covered 
entity may use or disclose protected health information to a public or 
private entity authorized by law or by its charter to assist in 
disaster relief efforts, for the purpose of coordinating with such 
entities the uses or disclosures permitted by paragraph (b)(1)(ii) of 
this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) 
of this section apply to such uses and disclosures to the extent that 
the covered entity, in the exercise of professional judgment, 
determines that the requirements do not interfere with the ability to 
respond to the emergency circumstances.
    (5) Uses and disclosures when the individual is deceased. If the 
individual is deceased, a covered entity may disclose to a family 
member, or other persons identified in paragraph (b)(1) of this section 
who were involved in the individual's care or payment for health care 
prior to the individual's death, protected health information of the 
individual that is relevant to such person's involvement, unless doing 
so is inconsistent with any prior expressed preference of the 
individual that is known to the covered entity.

0
51. Amend Sec.  164.512 as follows:
0
a. Revise the paragraph heading for paragraph (b), the introductory 
text of

[[Page 5700]]

paragraph (b)(1) and the introductory text of paragraph (b)(1)(v)(A);
0
b. Add new paragraph (b)(1)(vi);
0
c. Revise the introductory text of paragraph (e)(1)(iii) and paragraph 
(e)(1)(vi);
0
d. Revise paragraph (i)(2)(iii); and
0
e. Revise paragraphs (k)(1)(ii), (k)(3), and (k)(5)(i)(E).
    The revisions and additions read as follows:


Sec.  164.512  Uses and disclosures for which an authorization or 
opportunity to agree or object is not required.

* * * * *
    (b) Standard: Uses and disclosures for public health activities. 
(1) Permitted uses and disclosures. A covered entity may use or 
disclose protected health information for the public health activities 
and purposes described in this paragraph to:
* * * * *
    (v) * * *
    (A) The covered entity is a covered health care provider who 
provides health care to the individual at the request of the employer:
* * * * *
    (vi) A school, about an individual who is a student or prospective 
student of the school, if:
    (A) The protected health information that is disclosed is limited 
to proof of immunization;
    (B) The school is required by State or other law to have such proof 
of immunization prior to admitting the individual; and
    (C) The covered entity obtains and documents the agreement to the 
disclosure from either:
    (1) A parent, guardian, or other person acting in loco parentis of 
the individual, if the individual is an unemancipated minor; or
    (2) The individual, if the individual is an adult or emancipated 
minor.
* * * * *
    (e) * * *
    (1) * * *
    (iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, 
a covered entity receives satisfactory assurances from a party seeking 
protected health information if the covered entity receives from such 
party a written statement and accompanying documentation demonstrating 
that:
* * * * *
    (vi) Notwithstanding paragraph (e)(1)(ii) of this section, a 
covered entity may disclose protected health information in response to 
lawful process described in paragraph (e)(1)(ii) of this section 
without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) 
or (B) of this section, if the covered entity makes reasonable efforts 
to provide notice to the individual sufficient to meet the requirements 
of paragraph (e)(1)(iii) of this section or to seek a qualified 
protective order sufficient to meet the requirements of paragraph 
(e)(1)(v) of this section.
* * * * *
    (i) * * *
    (2) * * *
    (iii) Protected health information needed. A brief description of 
the protected health information for which use or access has been 
determined to be necessary by the institutional review board or privacy 
board, pursuant to paragraph (i)(2)(ii)(C) of this section;
* * * * *
    (k) * * *
    (1) * * *
    (ii) Separation or discharge from military service. A covered 
entity that is a component of the Departments of Defense or Homeland 
Security may disclose to the Department of Veterans Affairs (DVA) the 
protected health information of an individual who is a member of the 
Armed Forces upon the separation or discharge of the individual from 
military service for the purpose of a determination by DVA of the 
individual's eligibility for or entitlement to benefits under laws 
administered by the Secretary of Veterans Affairs.
* * * * *
    (3) Protective services for the President and others. A covered 
entity may disclose protected health information to authorized Federal 
officials for the provision of protective services to the President or 
other persons authorized by 18 U.S.C. 3056 or to foreign heads of state 
or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct 
of investigations authorized by 18 U.S.C. 871 and 879.
* * * * *
    (5) * * *
    (i) * * *
    (E) Law enforcement on the premises of the correctional 
institution; or
* * * * *

0
52. In Sec.  164.514, revise paragraphs (e)(4)(ii)(C)(4), (f), and (g) 
to read as follows:


Sec.  164.514  Other requirements relating to uses and disclosures of 
protected health information.

* * * * *
    (e) * * *
    (4) * * *
    (ii) * * *
    (C) * * *
    (4) Ensure that any agents to whom it provides the limited data set 
agree to the same restrictions and conditions that apply to the limited 
data set recipient with respect to such information; and
* * * * *
    (f) Fundraising communications.
    (1) Standard: Uses and disclosures for fundraising. Subject to the 
conditions of paragraph (f)(2) of this section, a covered entity may 
use, or disclose to a business associate or to an institutionally 
related foundation, the following protected health information for the 
purpose of raising funds for its own benefit, without an authorization 
meeting the requirements of Sec.  164.508:
    (i) Demographic information relating to an individual, including 
name, address, other contact information, age, gender, and date of 
birth;
    (ii) Dates of health care provided to an individual;
    (iii) Department of service information;
    (iv) Treating physician;
    (v) Outcome information; and
    (vi) Health insurance status.
    (2) Implementation specifications: Fundraising requirements. (i) A 
covered entity may not use or disclose protected health information for 
fundraising purposes as otherwise permitted by paragraph (f)(1) of this 
section unless a statement required by Sec.  164.520(b)(1)(iii)(A) is 
included in the covered entity's notice of privacy practices.
    (ii) With each fundraising communication made to an individual 
under this paragraph, a covered entity must provide the individual with 
a clear and conspicuous opportunity to elect not to receive any further 
fundraising communications. The method for an individual to elect not 
to receive further fundraising communications may not cause the 
individual to incur an undue burden or more than a nominal cost.
    (iii) A covered entity may not condition treatment or payment on 
the individual's choice with respect to the receipt of fundraising 
communications.
    (iv) A covered entity may not make fundraising communications to an 
individual under this paragraph where the individual has elected not to 
receive such communications under paragraph (f)(1)(ii)(B) of this 
section.
    (v) A covered entity may provide an individual who has elected not 
to receive further fundraising communications with a method to opt back 
in to receive such communications.
    (g) Standard: uses and disclosures for underwriting and related 
purposes. If a health plan receives protected health information for 
the purpose of underwriting, premium rating, or other activities 
relating to the creation,

[[Page 5701]]

renewal, or replacement of a contract of health insurance or health 
benefits, and if such health insurance or health benefits are not 
placed with the health plan, such health plan may only use or disclose 
such protected health information for such purpose or as may be 
required by law, subject to the prohibition at Sec.  164.502(a)(5)(i) 
with respect to genetic information included in the protected health 
information.
* * * * *

0
53. Amend Sec.  164.520:
0
a. Revise paragraphs (b)(1)(ii)(E), (b)(1)(iii), (b)(1)(iv)(A), 
(b)(1)(v)(A), (c)(1)(i) introductory text, and (c)(1)(i)(B);
0
b. Remove paragraph (c)(1)(i)(C); and
0
c. Add paragraph (c)(1)(v).
    The revisions and addition read as follows:


Sec.  164.520  Notice of privacy practices for protected health 
information.

* * * * *
    (b) * * *
    (1) * * *
    (ii) * * *
    (E) A description of the types of uses and disclosures that require 
an authorization under Sec.  164.508(a)(2)-(a)(4), a statement that 
other uses and disclosures not described in the notice will be made 
only with the individual's written authorization, and a statement that 
the individual may revoke an authorization as provided by Sec.  
164.508(b)(5).
    (iii) Separate statements for certain uses or disclosures. If the 
covered entity intends to engage in any of the following activities, 
the description required by paragraph (b)(1)(ii)(A) of this section 
must include a separate statement informing the individual of such 
activities, as applicable:
    (A) In accordance with Sec.  164.514(f)(1), the covered entity may 
contact the individual to raise funds for the covered entity and the 
individual has a right to opt out of receiving such communications; (B) 
In accordance with Sec.  164.504(f), the group health plan, or a health 
insurance issuer or HMO with respect to a group health plan, may 
disclose protected health information to the sponsor of the plan; or
    (C) If a covered entity that is a health plan, excluding an issuer 
of a long-term care policy falling within paragraph (1)(viii) of the 
definition of health plan, intends to use or disclose protected health 
information for underwriting purposes, a statement that the covered 
entity is prohibited from using or disclosing protected health 
information that is genetic information of an individual for such 
purposes.
    (iv) * * *
    (A) The right to request restrictions on certain uses and 
disclosures of protected health information as provided by Sec.  
164.522(a), including a statement that the covered entity is not 
required to agree to a requested restriction, except in case of a 
disclosure restricted under Sec.  164.522(a)(1)(vi);
* * * * *
    (v) * * *
    (A) A statement that the covered entity is required by law to 
maintain the privacy of protected health information, to provide 
individuals with notice of its legal duties and privacy practices with 
respect to protected health information, and to notify affected 
individuals following a breach of unsecured protected health 
information;
* * * * *
    (c) * * *
    (1) * * *
    (i) A health plan must provide the notice:
* * * * *
    (B) Thereafter, at the time of enrollment, to individuals who are 
new enrollees.
* * * * *
    (v) If there is a material change to the notice:
    (A) A health plan that posts its notice on its web site in 
accordance with paragraph (c)(3)(i) of this section must prominently 
post the change or its revised notice on its web site by the effective 
date of the material change to the notice, and provide the revised 
notice, or information about the material change and how to obtain the 
revised notice, in its next annual mailing to individuals then covered 
by the plan.
    (B) A health plan that does not post its notice on a web site 
pursuant to paragraph (c)(3)(i) of this section must provide the 
revised notice, or information about the material change and how to 
obtain the revised notice, to individuals then covered by the plan 
within 60 days of the material revision to the notice.
* * * * *

0
54. Amend Sec.  164.522 as follows:
0
a. Revise paragraph (a)(1)(ii);
0
b. Add new paragraph (a)(1)(vi); and
0
c. Revise the introductory text of paragraph (a)(2), and paragraphs 
(a)(2)(iii), and paragraph (a)(3).
    The revisions and additions read as follows:


Sec.  164.522  Rights to request privacy protection for protected 
health information.

    (a)(1) * * *
    (ii) Except as provided in paragraph (a)(1)(vi) of this section, a 
covered entity is not required to agree to a restriction.
* * * * *
    (vi) A covered entity must agree to the request of an individual to 
restrict disclosure of protected health information about the 
individual to a health plan if:
    (A) The disclosure is for the purpose of carrying out payment or 
health care operations and is not otherwise required by law; and
    (B) The protected health information pertains solely to a health 
care item or service for which the individual, or person other than the 
health plan on behalf of the individual, has paid the covered entity in 
full.
    (2) Implementation specifications: Terminating a restriction. A 
covered entity may terminate a restriction, if:
* * * * *
    (iii) The covered entity informs the individual that it is 
terminating its agreement to a restriction, except that such 
termination is:
    (A) Not effective for protected health information restricted under 
paragraph (a)(1)(vi) of this section; and
    (B) Only effective with respect to protected health information 
created or received after it has so informed the individual.
    (3) Implementation specification: Documentation. A covered entity 
must document a restriction in accordance with Sec.  160.530(j) of this 
subchapter.
* * * * *

0
55. Amend Sec.  164.524 as follows:
0
a. Remove paragraph (b)(2)(ii) and redesignate paragraph (b)(2)(iii) as 
paragraph (b)(2)(ii);
0
b. Revise newly designated paragraph (b)(2)(ii);
0
c. Revise paragraph (c)(2)(i);
0
d. Redesignate paragraph (c)(2)(ii) as paragraph (c)(2)(iii);
0
e. Add new paragraph (c)(2)(ii);
0
f. Revise paragraphs (c)(3) and (c)(4)(i);
0
g. Redesignate paragraphs (c)(4)(ii) and (c)(4)(iii) as paragraphs 
(c)(4)(iii) and (c)(4)(iv), respectively; and
0
h. Add new paragraph (c)(4)(ii).
    The revisions and additions read as follows:


Sec.  164.524  Access of individuals to protected health information.

* * * * *
    (b) * * *
    (2) * * *
    (ii) If the covered entity is unable to take an action required by 
paragraph (b)(2)(i)(A) or (B) of this section within the time required 
by paragraph (b)(2)(i) of this section, as applicable, the covered 
entity may extend the time for such actions by no more than 30 days, 
provided that:
    (A) The covered entity, within the time limit set by paragraph 
(b)(2)(i) of

[[Page 5702]]

this section, as applicable, provides the individual with a written 
statement of the reasons for the delay and the date by which the 
covered entity will complete its action on the request; and
    (B) The covered entity may have only one such extension of time for 
action on a request for access.
    (c) * * *
    (2) Form of access requested. (i) The covered entity must provide 
the individual with access to the protected health information in the 
form and format requested by the individual, if it is readily 
producible in such form and format; or, if not, in a readable hard copy 
form or such other form and format as agreed to by the covered entity 
and the individual.
    (ii) Notwithstanding paragraph (c)(2)(i) of this section, if the 
protected health information that is the subject of a request for 
access is maintained in one or more designated record sets 
electronically and if the individual requests an electronic copy of 
such information, the covered entity must provide the individual with 
access to the protected health information in the electronic form and 
format requested by the individual, if it is readily producible in such 
form and format; or, if not, in a readable electronic form and format 
as agreed to by the covered entity and the individual.
* * * * *
    (3) Time and manner of access. (i) The covered entity must provide 
the access as requested by the individual in a timely manner as 
required by paragraph (b)(2) of this section, including arranging with 
the individual for a convenient time and place to inspect or obtain a 
copy of the protected health information, or mailing the copy of the 
protected health information at the individual's request. The covered 
entity may discuss the scope, format, and other aspects of the request 
for access with the individual as necessary to facilitate the timely 
provision of access.
    (ii) If an individual's request for access directs the covered 
entity to transmit the copy of protected health information directly to 
another person designated by the individual, the covered entity must 
provide the copy to the person designated by the individual. The 
individual's request must be in writing, signed by the individual, and 
clearly identify the designated person and where to send the copy of 
protected health information.
    (4) * * *
    (i) Labor for copying the protected health information requested by 
the individual, whether in paper or electronic form;
    (ii) Supplies for creating the paper copy or electronic media if 
the individual requests that the electronic copy be provided on 
portable media;
* * * * *

0
56. In Sec.  164.532, revise paragraphs (a), (c)(2), (c)(3), (d), 
(e)(1), and (e)(2), and add paragraphs (c)(4) and (f) to read as 
follows:


Sec.  164.532  Transition provisions.

    (a) Standard: Effect of prior authorizations. Notwithstanding 
Sec. Sec.  164.508 and 164.512(i), a covered entity may use or disclose 
protected health information, consistent with paragraphs (b) and (c) of 
this section, pursuant to an authorization or other express legal 
permission obtained from an individual permitting the use or disclosure 
of protected health information, informed consent of the individual to 
participate in research, a waiver of informed consent by an IRB, or a 
waiver of authorization in accordance with Sec.  164.512(i)(1)(i).
* * * * *
    (c) * * *
    (2) The informed consent of the individual to participate in the 
research;
    (3) A waiver, by an IRB, of informed consent for the research, in 
accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 
15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 
24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 
97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 
690.116(d), or 49 CFR 11.116(d), provided that a covered entity must 
obtain authorization in accordance with Sec.  164.508 if, after the 
compliance date, informed consent is sought from an individual 
participating in the research; or
    (4) A waiver of authorization in accordance with Sec.  
164.512(i)(1)(i).
    (d) Standard: Effect of prior contracts or other arrangements with 
business associates. Notwithstanding any other provisions of this part, 
a covered entity, or business associate with respect to a 
subcontractor, may disclose protected health information to a business 
associate and may allow a business associate to create, receive, 
maintain, or transmit protected health information on its behalf 
pursuant to a written contract or other written arrangement with such 
business associate that does not comply with Sec. Sec.  164.308(b), 
164.314(a), 164.502(e), and 164.504(e), only in accordance with 
paragraph (e) of this section.
    (e) Implementation specification: Deemed compliance. (1) 
Qualification. Notwithstanding other sections of this part, a covered 
entity, or business associate with respect to a subcontractor, is 
deemed to be in compliance with the documentation and contract 
requirements of Sec. Sec.  164.308(b), 164.314(a), 164.502(e), and 
164.504(e), with respect to a particular business associate 
relationship, for the time period set forth in paragraph (e)(2) of this 
section, if:
    (i) Prior to January 25, 2013, such covered entity, or business 
associate with respect to a subcontractor, has entered into and is 
operating pursuant to a written contract or other written arrangement 
with the business associate that complies with the applicable 
provisions of Sec. Sec.  164.314(a) or 164.504(e) that were in effect 
on such date; and
    (ii) The contract or other arrangement is not renewed or modified 
from March 26, 2013, until September 23, 2013.
    (2) Limited deemed compliance period. A prior contract or other 
arrangement that meets the qualification requirements in paragraph (e) 
of this section shall be deemed compliant until the earlier of:
    (i) The date such contract or other arrangement is renewed or 
modified on or after September 23, 2013; or
    (ii) September 22, 2014.
* * * * *
    (f) Effect of prior data use agreements. If, prior to [January 25, 
2013, a covered entity has entered into and is operating pursuant to a 
data use agreement with a recipient of a limited data set that complies 
with Sec.  164.514(e), notwithstanding Sec.  164.502(a)(5)(ii), the 
covered entity may continue to disclose a limited data set pursuant to 
such agreement in exchange for remuneration from or on behalf of the 
recipient of the protected health information until the earlier of:
    (1) The date such agreement is renewed or modified on or after 
September 23, 2013; or
    (2) September 22, 2014.
* * * * *

    Dated: January 15, 2013.
Kathleen Sebelius,
Secretary.
[FR Doc. 2013-01073 Filed 1-17-13; 4:15 pm]
BILLING CODE 4153-01-P