HIPAA Privacy Regulations: Uses and Disclosures For Which an Authorization or Opportunity to Agree or Object is Not Required: Public Health Activities - § 164.512(b)
As Contained in the HHS HIPAA Privacy Rules
HHS Guidance: HIPAA Privacy in Emergency Situations
HHS Guidance: Student Immunizations
HHS Regulations as Amended January 2013 |
(b) Standard: Uses and disclosures for public health activities—(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:
(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
(ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
(iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:
(A) To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
(B) To track FDA-regulated products;
(C) To enable product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
(D) To conduct post marketing surveillance;
(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or
(v) An employer, about an individual who is a member of the workforce of the employer, if:
(A) The covered entity is a covered health care provider who provides health care to the individual at the request of the employer:
(1) To conduct an evaluation relating to medical surveillance of the workplace; or
(2) To evaluate whether the individual has a work-related illness or injury;
(B) The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
(C) The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and
(D) The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:
(1) By giving a copy of the notice to the individual at the time the health care is provided; or
(2) If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.
(vi) A school, about an individual who is a student or prospective student of the school, if:
(A) The protected health information that is disclosed is limited to proof of immunization;
(B) The school is required by State or other law to have such proof of immunization prior to admitting the individual; and
(C) The covered entity obtains and documents the agreement to the disclosure from either:
(1) A parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or
(2) The individual, if the individual is an adult or emancipated minor.
(2) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section.
HHS Description and Commentary From the January 2013 Amendments |
Medical Surveillance
Where an employer needs protected health information to comply with workplace medical surveillance laws, such as the Occupational Safety and Health Administration or Mine Safety and Health Administration requirements, § 164.512(b)(1)(v)(A) permits a covered entity to disclose, subject to certain conditions, protected health information of an individual to the individual’s employer if the covered entity is a covered health care provider “who is a member of the workforce of such employer or who provides health care to the individual at the request of the employer.” We proposed to amend the quoted language by removing the words “who is a member of the workforce of such employer or,” as the language is unnecessary.
Immunization Records
Proposed Rule
The Privacy Rule, at § 164.512(b), recognizes that covered entities must balance protecting the privacy of health information with sharing health information with those responsible for ensuring public health and safety, and permits covered entities to disclose the minimum necessary protected health information to public health authorities or other designated persons or entities without an authorization for public health purposes specified by the Rule.
Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have been immunized. Most States have “school entry laws” which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized.
Some States allow a child to enter school provisionally for a certain period of time while the school waits for the necessary immunization information. Typically, schools ensure compliance with those requirements by requesting the immunization records from parents (rather than directly from a health care provider). However, where a covered health care provider is requested to send the immunization records directly to a school, the Privacy Rule generally requires written authorization by the child’s parent before a covered health care provider may do so.
Since the Privacy Rule went into effect, we had heard concerns that the requirement for covered entities to obtain authorization before disclosing student immunization information may make it more difficult for parents to provide, and for schools to obtain, the necessary immunization documentation for students, which may prevent students’ admittance to school. The National Committee on Vital and Health Statistics submitted these concerns to the HHS Secretary and recommended that HHS regard disclosure of immunization records to schools to be a public health disclosure, thus eliminating the requirement for authorization. See http://www.ncvhs.hhs.gov/04061712.html. As such, we proposed to amend § 164.512(b)(1) by adding a new paragraph that permits covered entities to disclose proof of immunization to schools in States that have school entry or similar laws. While written authorization that complies with § 164.508 would no longer have been required for disclosure of such information under the proposal, the covered entity would still have been required to obtain agreement, which may have been oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual him- or herself, if the individual is an adult or emancipated minor.
Because the proposed provision would have permitted a provider to accept a parent’s oral agreement to disclose immunization results to a school – as opposed to a written agreement – the NPRM acknowledged a potential for a miscommunication and later objection by the parent. We, therefore, requested comment on whether the Privacy Rule should require that a provider document any oral agreement under this provision to help avoid such problems, or whether a requirement for written documentation would be overly cumbersome, on balance. We also requested comment on whether the rule should mandate that the disclosures go to a particular school official and if so, who that should be.
In addition, the Privacy Rule does not define the term “school” and the types of schools subject to the school entry laws may vary by State. For example, depending on the State, such laws may apply to public and private elementary or primary schools and secondary schools (kindergarten through 12th grade), as well as daycare and preschool facilities, and post-secondary institutions. Thus, we requested comment on the scope of the term “school” for the purposes of this section and whether we should include a specific definition of “school” within the regulation itself. In addition, we requested comment on the extent to which schools that may not be subject to these school entry laws but that may also require proof of immunization have experienced problems that would warrant their being included in this category of public health disclosures.
Overview of Public Comments
Most commenters were generally in favor of permitting covered entities to disclose student immunization records based on obtaining agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor, rather than written authorization. Commenters supported the intent to facilitate the transmission of immunization records to ease the burden on parents, schools and covered entities, and to minimize the amount of school missed by students.
Some commenters opposed the proposal to require oral or written agreement, claiming that a new form of “agreement” would introduce unnecessary complexity and confusion, and would not help to reduce burden. These commenters asserted that covered entities would document the verbal agreements for their own liability purposes, even if not required by the Privacy Rule. In this manner, the documentation burden would still be present. Some commenters recommended that instead of an oral agreement or authorization requirement, disclosure of immunization records to schools should be considered an exempt public health disclosure. A small minority of commenters felt that the current authorization system should be maintained as it is the best way to ensure patient safety and privacy while avoiding miscommunications and misunderstandings.
Commenters were divided on the issue of requiring written documentation of the agreement. Some commenters were in favor of documenting oral agreements, citing that the documentation would be less cumbersome than obtaining written authorizations while also helping to avoid miscommunications. On the other hand, some commenters felt that requiring written documentation would be burdensome and would eliminate the benefits introduced by permitting oral agreements. Some commenters also requested flexibility for covered entities to determine whether or not written documentation is appropriate and necessary for their purposes.
The majority of commenters requested that a designated recipient of the student immunization records not be defined, and that schools be allowed flexibility to identify the appropriate individual(s) that can act as the school official permitted to receive the records. Commenters indicated that while the disclosures would ideally be made to a nurse or licensed health professional at the school, such a health professional may not always be present. In such instances, it should be permissible that the immunization records be disclosed to another official designated by the school as a suitable representative. One commenter recommended that the school nurse be designated as the recipient and custodian of the records.
Most commenters recommended that the definition of “school” be interpreted broadly in order to best support public health efforts. Commenters provided suggestions on the types of schools that should be included, for example, K-12 schools, public and private schools, and post-secondary schools. Many commenters also suggested that daycare, preschool and nursery school facilities be encompassed in the definition of school. One commenter expressly recommended that child care facilities or day care programs not be included in the definition of school, despite acknowledging the need to protect the health of these children, due to the fact that many States have different laws for these settings and are separate from school systems. Two commenters suggested defining schools as being open to children up to age 18, since students become adults at age 18 and can authorize the disclosure of their own information.
A few commenters suggested that the definition include all schools that require immunization documentation as a prerequisite to enrollment, not just those that are subject to State entry laws, in order to protect public health in all school settings, since the threat of un-immunized children exists regardless of State school entry laws. Additionally, some commenters recommended that the term “school” not be defined in the Privacy Rule due to the variation across States in the types of schools that are subject to the entry laws.
Final Rule
The final rule adopts the proposal to amend § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. We believe that the option to provide oral agreement for the disclosure of student immunization records will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information.
The final rule additionally requires that covered entities document the agreement obtained under this provision. The final rule does not prescribe the nature of the documentation and does not require signature by the parent, allowing covered entities the flexibility to determine what is appropriate for their purposes. The documentation must only make clear that agreement was obtained as permitted under this provision. For example, if a parent or guardian submits a written or email request to a covered entity to disclose his or her child’s immunization records to the child’s school, a copy of the request would suffice as documentation of the agreement. Likewise, if a parent or guardian calls the covered entity and requests over the phone that his or her child’s immunization records be disclosed to the child’s school, a notation in the child’s medical record or elsewhere of the phone call would suffice as documentation of the agreement.
We emphasize that the agreement is not equivalent to a HIPAA-compliant authorization, and covered entities are not required to document a signature as part of this requirement.
We disagree with comments that documentation would be as burdensome on covered entities as written authorization, since an authorization form contains many required statements and elements, including a signature by the appropriate individual, which are not required for the agreement and documentation contemplated here. Furthermore, we believe that documentation of oral agreements will help to prevent miscommunications and potential future objections by parents or individuals, and the concerns that covered entities may have regarding liability, penalty or other enforcement actions for disclosures made pursuant to an oral agreement.
Several commenters recommended that in lieu of an oral agreement, disclosure of immunization records to schools are presumed to be permitted, while giving individuals the option to opt out of this presumption or request a restriction to the disclosure. One commenter advocated for this public health exemption for disclosure of immunization records as being particularly critical for children who may be, for example, homeless, living with someone other than a parent or legal guardian, or living with a parent that does not speak English. We remove the written authorization requirement to help facilitate these disclosures with as much flexibility as possible. However, we do not intend this provision to change the current practice of parents, guardians, or other persons acting in loco parentis contacting a child’s health care provider to request proof of immunization be sent to the child’s school. Therefore, we still require active agreement from the appropriate individual, and a health care provider may not disclose immunization records to a school under this provision without such agreement. The agreement must be an affirmative assent or request by a parent, guardian, or other person acting in loco parentis (or by an adult individual or emancipated minor, if applicable) to the covered entity, which may be oral and over the phone, to allow the disclosure of the immunization records. A mere request by a school to a health care provider for the immunization records of a student would not be sufficient to permit disclosure under this provision (and such a request by a school might also raise implications under other laws, such as FERPA).
We decline to include definitions of “school official” and “school” in the final rule. The motivation for this new permissive disclosure is to promote public health by reducing the burden associated with providing schools with student immunization records and we do not wish to create additional difficulties or confusion in doing so. We therefore agree with commenters that schools are best equipped to determine the appropriate individual to receive student immunization records at their location and will benefit from having this flexibility. We also agree with commenters that “school” should remain undefined in the Privacy Rule due to the variation across States in the types of schools that are subject to the entry laws. We believe that this will best align with State law and cause the least amount of confusion. We did not receive sufficient comment regarding the breadth of schools that are not subject to school entry laws or the burden that these institutions face to justify expanding this provision to allow disclosure of proof of immunization to such schools without an authorization.
Response to Other Public Comments
Comment: Several commenters raised concerns about the dynamic between the Privacy Rule requirements and State law requirements regarding immunization disclosures. Commenters indicated that some State laws require providers to directly share immunization records with schools and provide parents with the opportunity to opt out of this direct sharing. Commenters also indicated the use of State immunization registries in many States, to which schools are permitted direct access. One commenter suggested that the Privacy Rule permit State law to determine what is the minimum necessary for proof of immunization.
Response: We take this opportunity to clarify that the Privacy Rule at § 164.512(a) permits a covered entity to use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. As such, the Privacy Rule does not prohibit immunization disclosures that are mandated by State law, nor does it require authorization for such disclosures. With regard to State laws that require covered entities to disclose immunization records to schools and allow parents to opt out, this is not in any way prohibited by the Privacy Rule. However, with regard to State laws that permit but do not require covered entities to disclose immunization records to schools, this does not meet the requirements of the provisions at § 164.512(a), and disclosures of immunization records are subject to the Privacy Rule agreement and documentation requirements described in this part.
We also note that the Privacy Rule at § 164.512(b) permits a covered entity to disclose protected health information for public health activities. Disclosures of protected health information to State immunization registries are therefore permitted by the Privacy Rule and also do not require authorization. The Privacy Rule at § 164.514(d)(3)(iii)(A) provides that a covered entity, when making a permitted disclosure pursuant to § 164.512 to a public official, may determine, if such a determination is reasonable under the circumstances, that information requested by a public official is the minimum necessary information for the stated purpose, if the public official represents that the information requested is the minimum necessary for the stated purpose(s). Under this provision, a covered entity may rely on State law or a State official’s determination of the minimum necessary information required for proof of immunization, unless such determination is unreasonable.
Comment: Commenters requested guidance on when and how often to obtain agreement for immunization disclosures.
Response: We anticipate that covered entities will obtain agreement for the disclosure of immunization records on a case-by-case basis as needed. For example, a parent may call and request that a covered entity provide his or her child’s immunization records before the child begins elementary school, if required by State school entry laws.
If that child moves to a different school and is unable to transfer their immunization records to the new school, the parent may need to request that the covered entity provide his or her child’s immunization records to the new school, if required by State school entry laws. A parent might also generally indicate to a covered entity that he or she affirmatively agrees to the immediate or future disclosure of his or her child’s immunization records to the child’s school as necessary, or the continued disclosure of such information if, for example, updates are required by the school when a series of vaccinations have been completed.
Comment: Commenters requested clarification on the length of time an agreement may be relied upon. Response: An agreement to permit the disclosure of immunization records is considered effective until revoked by the parent, guardian or other person acting in loco parentis for the individual, or by the individual himself or herself, if the individual is an adult or emancipated minor.
Comment: Commenters requested clarification regarding any requirement for schools to maintain the immunization records.
Response: The Privacy Rule does not require schools to keep student immunization records; however individual State or other laws may require this.
HHS Description and Commentary From the August 2002 Revisions Uses and Disclosures For Which an Authorization or Opportunity to Agree or Object is Not Required: Uses and Disclosures for Public Health Activities |
December 2000 Privacy Rule. The Privacy Rule permits covered entities to disclose protected health information without consent or authorization for public health purposes. Generally, these disclosures may be made to public health authorities, as well as to contractors and agents of public health authorities. However, in recognition of the essential role of drug and medical device manufacturers and other private persons in carrying out the Food and Drug Administration's (FDA) public health mission, the December 2000 Privacy Rule permitted covered entities to make such disclosures to a person who is subject to the jurisdiction of the FDA, but only for the following specified purposes: (1) to report adverse events, defects or problems, or biological product deviations with respect to products regulated by the FDA (if the disclosure is made to the person required or directed to report such information to the FDA); (2) to track products (if the disclosure is made to the person required or directed to report such information to the FDA); (3) for product recalls, repairs, or replacement; and (4) for conducting post-marketing surveillance to comply with FDA requirements or at the direction of the FDA.
March 2002 NPRM. The Department heard a number of concerns about the scope of the disclosures permitted for FDA-regulated products and activities and the failure of the Privacy Rule to reflect the breadth of the public health activities currently conducted by private sector entities subject to the jurisdiction of the FDA on a voluntary basis. These commenters claimed the Rule would constrain important public health surveillance and reporting activities by impeding the flow of needed information to those subject to the jurisdiction of the FDA. For instance, there were concerns that the Rule would have a chilling effect on current voluntary reporting practices. The FDA gets the vast majority of information concerning problems with FDA-regulated products, including drugs, medical devices, biological products, and food indirectly through voluntary reports made by health care providers to the manufacturers. These reports are critically important to public health and safety. The December 2000 Rule permitted such disclosures only when made to a person "required or directed" to report the information to the FDA or to track the product. The manufacturer may or may not be required to report such problems to the FDA, and the covered entities who make these reports are not in a position to know whether the recipient of the information is so obligated. Consequently, many feared that this uncertainty would cause covered entities to discontinue their practices of voluntary reporting of adverse events related to FDA-regulated products or entities.
Some covered entities also expressed fears of the risk of liability should they inadvertently report the information to a person who is not subject to the jurisdiction of the FDA or to the wrong manufacturer. Hence, they urged the Department to provide a "good-faith" safe harbor to protect covered entities from enforcement actions arising from unintentional violations of the Privacy Rule.
A number of commenters, including some subject to the jurisdiction of the FDA, suggested that it is not necessary to disclose identifiable health information for some or all of these public health purposes, that identifiable health information is not reported to the FDA, and that information without direct identifiers (such as name, mailing address, phone number, social security number, and email address) is sufficient for post-marketing surveillance purposes.
The Rule is not intended to discourage or prevent adverse event reporting or otherwise disrupt the flow of essential information that the FDA and persons subject to the jurisdiction of the FDA need in order to carry out their important public health activities. Therefore, the Department proposed some modifications to the Rule to address these issues in the NPRM. Specifically, the Department proposed to remove from '' 164.512(b)(1)(iii)(A) and (B) the phrase "if the disclosure is made to a person required or directed to report such information to the Food and Drug Administration" and to remove from subparagraph (D) the phrase "to comply with requirements or at the direction of the Food and Drug Administration." In lieu of this language, the Department proposed to describe at the outset the public health purposes for which disclosures may be made. The proposed language read: "A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity."
The proposal retained the specific activities identified in paragraphs (A), (B), (C), and (D) as examples of common FDA purposes for which disclosures would be permitted, but eliminated the language that would have made this listing the only activities for which such disclosures would be allowed. These activities include reporting of adverse events and other product defects, the tracking of FDA-regulated products, enabling product recalls, repairs, or replacement, and conducting post-marketing surveillance. Additionally, the Department proposed to include "lookback" activities in paragraph (C), which are necessary for tracking blood and plasma products, as well as quarantining tainted blood or plasma and notifying recipients of such tainted products.
In addition to these specific changes, the Department solicited comments on whether a limited data set should be required or permitted for some or all public health purposes, or if a special rule should be developed for public health reporting. The Department also requested comments as to whether the proposed modifications would be sufficient, or if additional measures, such as a good-faith safe harbor, would be needed for covered entities to continue to report vital information concerning FDA-regulated products or activities on a voluntary basis.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
The proposed changes received wide support. The overwhelming majority of commenters urged the Department to adopt the proposed changes, claiming it would reduce the chilling effect that the Rule would otherwise have on current voluntary reporting practices, which are an important means of identifying adverse events, defects, and other problems regarding FDA-regulated products. Several commenters further urged the Department to provide a good-faith safe harbor to allay providers' fears of inadvertently violating the Rule, stating that covered entities would otherwise be reluctant to risk liability to make these important public health disclosures.
A few commenters opposed the proposed changes, expressing concern that the scope of the proposal was too broad. They were particularly concerned that including activities related to "quality" or "effectiveness" would create a loophole for manufacturers to obtain and use protected health information for purposes the average person would consider unrelated to public health or safety, such as using information to market products to individuals. Some of these commenters said the Department should retain the exclusive list of purposes and activities for which such disclosures may be made, and some urged the Department to retain the "required or directed" language, as it creates an essential nexus to a government authority or requirement. It was also suggested that the chilling effect on reporting of adverse events could be counteracted by a more targeted approach. Commenters were also concerned that the proposal would permit disclosure of much more protected health information to non-covered entities that are not obligated by the Rule to protect the privacy of the information. Comments regarding use of a limited data set for public health disclosures are discussed in section III.G.1. of the preamble.
Final Modifications. In the final modifications, the Department adopts the language proposed in the NPRM. Section 164.512(b)(1)(iii), as modified, permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity. Such purposes include, but are not limited to, the following activities and purposes listed in subparagraphs (A) through (D): (1) to collect or report adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, (2) to track FDA-regulated products, (3) to enable product recalls, repairs, or replacement, or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are the subject of lookback), and (4) to conduct post-marketing surveillance.
The Department believes these modifications are necessary to remove barriers that could prevent or chill the continued flow of vital information between health care providers and manufacturers of food, drugs, medical and other devices, and biological products. Health care providers have been making these disclosures to manufacturers for many years, and commenters opposed to the proposal did not cite any examples of abuses of information disclosed for such purposes. Furthermore, both the individuals who are the subjects of the information and the general public benefit from these disclosures, which are an important means of identifying and dealing with FDA-regulated products on the market that potentially pose a health or safety threat. For example, FDA learns a great deal about the safety of a drug after it is marketed as a result of voluntary adverse event reports made by covered entities to the product's manufacturer. The manufacturer is required to submit these safety reports to FDA, which uses the information to help make the product safer by, among other things, adding warnings or changing the product's directions for use. The modifications provide the necessary assurances to covered entities that such voluntary reporting may continue.
Although the list of permissible disclosures is no longer exclusive, the Department disagrees with commenters that asserted the modifications permit virtually unlimited disclosures for FDA purposes. As modified, such disclosures must still be made to a person subject to the jurisdiction of the FDA. The disclosure also must relate to FDA-regulated products or activities for which the person using or receiving the information has responsibility, and be made only for activities related to the safety, effectiveness, or quality of such FDA-regulated product or activity. These terms are terms of art with commonly accepted and understood meanings in the FDA context, meanings of which providers making such reports are aware. This limits the possibility that FDA-regulated manufacturers and entities will able to abuse this provision to obtain information to which they would otherwise not be entitled.
Moreover, § 164.512(b)(1) specifically limits permissible disclosures to those made for public health activities and purposes. While a disclosure related to the safety, quality or effectiveness of an FDA-regulated product is a permissible disclosure, the disclosure also must be for a "public health" activity or purpose. For example, it is not permissible under § 164.512(b)(1)(iii) for a covered entity to disclose protected health information to a manufacturer to allow the manufacturer to evaluate the effectiveness of a marketing campaign for a prescription drug. In this example, although the disclosure may be related to the effectiveness of an FDA-regulated activity (the advertising of a prescription drug), the disclosure is made for the commercial purposes of the manufacturer rather than for a public health purpose.
A disclosure related to a "quality" defect of an FDA-regulated product is also permitted. For instance, the public health exception permits a covered entity to contact the manufacturer of a product to report drug packaging quality defects. However, this section does not permit all possible reports from a covered entity to a person subject to FDA jurisdiction about product quality. It would not be permissible for a provider to furnish a manufacturer with a list of patients who prefer a different flavored cough syrup over the flavor of the manufacturer's product. Such a disclosure generally would not be for a public health purpose. However, a disclosure related to the flavor of a product would be permitted under this section if the covered entity believed that a difference in the product's flavor indicated, for example, a possible manufacturing problem or suggested that the product had been tampered with in a way that could affect the product's safety.
The Department clarifies that the types of disclosures that covered entities are permitted to make to persons subject to FDA jurisdiction are those of the type that have been traditionally made over the years. These reports include, but are not limited to, those made for the purposes identified in paragraphs (A) - (D) of § 164.512(b)(1)(iii) of this final Rule.
Also, the minimum necessary standard applies to public health disclosures, including those made to persons subject to the jurisdiction of the FDA. There are many instances where a report about the quality, safety, or effectiveness of an FDA-regulated product can be made without disclosing protected health information. Such may be the case with many adverse drug events where it is important to know what happened but it may not be important to know to whom. However, in other circumstances, such as device tracking or blood lookback, it is essential for the manufacturer to have identifying patient information in order to carry out its responsibilities under the Food, Drug, and Cosmetic Act. Therefore, identifiable health information can be disclosed for these purposes, consistent with the minimum necessary standard.
As the Department stated in the preamble of the NPRM, "a person" subject to the jurisdiction of the FDA does not mean that the disclosure must be made to a specific individual. The Food, Drug, and Cosmetic Act defines "person" to include an individual, partnership, corporation, and association. Therefore, covered entities may continue to disclose protected health information to the companies subject to FDA's jurisdiction that have responsibility for the product or activity. Covered entities may identify responsible companies by using information obtained from product labels or product labeling (written material about the product that accompanies the product) including sources of labeling, such as the Physician's Desk Reference.
The Department believes these modifications effectively balance the privacy interests of individuals with the interests of public health and safety. Since the vast majority of commenters were silent on the question of the potential need for a "good faith" exception, the Department believes that these modifications will be sufficient to preserve the current public health activities of persons subject to the jurisdiction of the FDA, without such a safe harbor. However, the Department will continue to evaluate the effect of the Rule to determine whether there is need for further modifications or guidance.
Response to Other Public Comments.
Comment: A few commenters urged the Department to include foreign public health authorities in the Rule's definition of "public health authority." These commenters claimed that medical products are often distributed in multiple countries, and the associated public health issues are experienced globally. They further claimed that requiring covered entities to obtain the permission of a United States-based public health authority before disclosing protected health information to a foreign government public health authority will impede important communications.
Response: The Department notes that covered entities are permitted to disclose protected health information for public health purposes, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. The Department does not have sufficient information at this time as to any potential impacts or workability issues that could arise from this language and, therefore, does not modify the Rule in this regard.
Comment: Some commenters, who opposed the proposal as a weakening of the Privacy Rule, suggested that the Department implement a more targeted approach to address only those issues raised in the preamble to the NPRM, such as voluntary adverse event reporting activities, rather than broadening the provision generally.
Response: The NPRM was intended to address a number of issues in addition to the concern that the December 2000 Privacy Rule would chill reporting of adverse events to entities from whom the FDA receives much of its adverse event information. For instance, the text of the December 2000 Privacy Rule did not expressly permit disclosure of protected health information to FDA-regulated entities for the purpose of enabling "lookback," which is an activity performed by the blood and plasma industry to identify and quarantine blood and blood products that may be at increased risk of transmitting certain blood-borne diseases, and which includes the notification of individuals who received possibly tainted products, permitting them to seek medical attention and counseling. The NPRM also was intended to simplify the public health reporting provision and to make it more readily understandable. Finally, the approach proposed in the NPRM, and adopted in this final Rule, is intended to add flexibility to the public health reporting provision of the December 2000 Rule, whose exclusive list of permissible disclosures was insufficiently flexible to assure that § 164.512(b)(1)(iii) will allow legitimate public health reporting activities that might arise in the future.
In addition, the Department clarifies that the reporting of adverse events is not restricted to the FDA or persons subject to the jurisdiction of the FDA. A covered entity may, under § 164.512(b), disclose protected health information to a public health authority that is authorized to receive or collect a report on an adverse event. In addition, to the extent an adverse event is required to be reported by law, the disclosure of protected health information for this purpose is also permitted under § 164.512(a). For example, a Federally funded researcher who is a covered health care provider under the Privacy Rule may disclose protected health information related to an adverse event to the National Institutes of Health (NIH) if required to do so by NIH regulations. Even if not required to do so, the researcher may also disclose adverse events directly to NIH as a public health authority. To the extent that NIH has public health matters as part of its official mandate it qualifies as a public health authority under the Privacy Rule, and to the extent it is authorized by law to collect or receive reports about injury and other adverse events such collection would qualify as a public health activity.
HHS Description from Original Rulemaking Uses and Disclosures For Which an Authorization or Opportunity to Agree or Object is Not Required: Uses and Disclosures for Public Health Activities |
The NPRM would have allowed covered entities to disclose protected health information without individual authorization to: (1) a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; (2) a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect; (3) a person or entity other than a governmental authority that could demonstrate or demonstrated that it was acting to comply with requirements or direction of a public health authority; or (4) a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and was authorized by law to be notified as necessary in the conduct of a public health intervention or investigation.
In the final rule, we broaden the scope of permissible disclosures pursuant to item (1) listed above. We narrow the scope of disclosures permissible under item (3) of this list, and we add language to clarify the scope of permissible disclosures with respect to item (4) on the list. We broaden the scope of allowable disclosures regarding item (1) by allowing covered entities to disclose protected health information not only to U.S. public health authorities but also, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. For example, we allow covered entities to disclose protected health information to a foreign government agency that is collaborating with the Centers for Disease Control and Prevention to limit the spread of infectious disease.
We narrow the conditions under which covered entities may disclose protected health information to non-government entities. We allow covered entities to disclose protected health information to a person subject to the FDA's jurisdiction, for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems, or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement, including locating and notifying individuals who have received products regarding product recalls, withdrawals, or other problems; or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA.
The terms included in § 164.512(b)(iii) are intended to have both their commonly understood meanings, as well as any specialized meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321 et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For example, "post-marketing surveillance" is intended to mean activities related to determining the safety or effectiveness of a product after it has been approved and is in commercial distribution, as well as certain Phase IV (post-approval) commitments by pharmaceutical companies. With respect to devices, "post-marketing surveillance" can be construed to refer to requirements of section 522 of the Food, Drug, and Cosmetic Act regarding certain implanted, life-sustaining, or life-supporting devices. The term "track" includes, for example, tracking devices under section 519(e) of the Food, Drug, and Cosmetic Act, units of blood or other blood products, as well as trace-backs of contaminated food.
In § 164.512(b)(iii), the term "required" refers to requirements in statute, regulation, order, or other legally binding authority exercised by the FDA. The term "directed," as used in this section, includes other official agency communications such as guidance documents.
We note that under this provision, a covered entity may disclose protected health information to a non-governmental organization without individual authorization for inclusion in a private data base or registry only if the disclosure is otherwise for one of the purposes described in this provision (e.g., for tracking products pursuant to FDA direction or requirements, for post-marketing surveillance to comply with FDA requirements or direction.)
To make a disclosure that is not for one of these activities, covered entities must obtain individual authorization or must meet the requirements of another provision of this rule. For example, covered entities may disclose protected health information to employers for inclusion in a workplace surveillance database only: with individual authorization; if the disclosure is required by law; if the disclosure meets the requirements of § 164.512(b)(v); or if the disclosure meets the conditions of another provision of this regulation, such as § 154.512(i) relating to research. Similarly, if a pharmaceutical company seeks to create a registry containing protected health information about individuals who had taken a drug that the pharmaceutical company had developed, covered entities may disclose protected health information without authorization to the pharmaceutical company pursuant to FDA requirements or direction. If the pharmaceutical company's registry is not for any of these purposes, covered entities may disclose protected health information to it only with patient authorization, if required by law, or if disclosure meets the conditions of another provision of this rule.
The final rule continues to permit covered entities to disclose protected health information without individual authorization directly to public health authorities, such as the Food and Drug Administration, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention, as well as state and local public health departments, for public health purposes as specified in the NPRM.
The final rule retains the NPRM provision allowing covered entities to disclose protected health information to public health authorities or other appropriate government authorities authorized by law to receive reports of child abuse or neglect. In addition, we clarify the NPRM's provision regarding disclosure of protected health information to persons who may have been exposed to a communicable disease or who may otherwise be at risk of contracting or spreading a disease or condition. Under the final rule, covered entities may disclose protected health information to such individuals when the covered entity or public health authority is authorized by law to notify these individuals as necessary in the conduct of a public health intervention or investigation.
In addition, as in the NPRM, under the final rule, a covered entity that is acting as a public health authority – for example, a public hospital conducting infectious disease surveillance in its role as an arm of the public health department – may use protected health information in all cases for which it is allowed to disclose such information for public health activities as described above.
The proposed rule did not contain a specific provision relating to disclosures by covered health care providers to employers concerning work-related injuries or illnesses or workplace medical surveillance. Under the proposed rule, a covered entity would have been permitted to disclose protected health information without individual authorization for public health purposes to private person if the person could demonstrate that it was acting to comply with requirements or at the direction of a public health authority.
As discussed above, in the final rule we narrow the scope of this paragraph as it applies to disclosures to persons other than public health authorities. To ensure that covered health care providers may make disclosures of protected health information without individual authorization to employers when appropriate under federal and state laws addressing work-related injuries and illnesses or workplace medical surveillance, we include a new provision in the final rule. The provision permits covered health care providers who provide health care as a workforce member of or at the request of an employer to disclose to that employer protected health information concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under the Occupational Safety and Health Act, the Federal Mine Safety and Health Act, or under a similar state law, to keep records on or act on such information. For example, OSHA regulations in 29 CFR Part 1904 require employers to record work-related injuries and illnesses if medical treatment is necessary; MSHA regulations at 30 CFR Part 50 require mine operators to report injuries and illnesses experienced by miners. Similarly, OSHA rules require employers to monitor employees' exposure to certain substances and to remove employees from exposure when toxic thresholds have been met. To obtain the relevant health information necessary to determine whether an injury or illness should be recorded, or whether an employee must be medically removed from exposure at work, employers must refer employees to health care providers for examination and testing.
OSHA and MSHA rules do not impose duties directly upon health care providers to disclose health information pertaining to recordkeeping and medical monitoring requirements to employers. Rather, these rules operate on the presumption that health care providers who provide services at the request of an employer will be able to disclose to the employer work-related health information necessary for the employer to fulfill its compliance obligations. This new provision permits covered entities to make disclosures necessary for the effective functioning of OSHA and MSHA requirements, or those of similar state laws, by permitting a health care provider to make disclosures without the authorization of the individual concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under OSHA and MSHA requirements, or under a similar state laws, to keep records on or act on such information.
We require health care providers who make disclosures to employers under this provision to provide notice to individuals that it discloses protected health information to employers relating to the medical surveillance of the workplace and work-related illnesses and injuries. The notice required under this provision is separate from the notice required under § 164.520. The notice required under this provision may be met giving a copy of the notice to the individual at the time it provides the health care services, or, if the health care services are provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care services are provided.
This provision applies only when a covered health care provider provides health care services as a workforce member of or at the request of an employer and for the purposes discussed above. The provision does not affect the application of this rule to other health care provided to individuals or to their relationship with health care providers that they select.
HHS Response to Comments Received from Original Rulemaking Uses and Disclosures for Public Health Activities |
Comment: Several non-profit entities commented that medical records research by nonprofit entities to ensure public health goals, such as disease-specific registries, would not have been covered by this provision. These organizations collect information without relying on a government agency or law. Commenters asserted that such activities are essential and must continue. They generally supported the provisions allowing the collection of individually identifiable health information without authorization for registries. One stated that both governmental and non-governmental cancer registries should be exempt from the regulation. They stated that "such entities, by their very nature, collect health information for legitimate public health and research purposes." Another, however, addressed its comments only to "disclosure to non-government entities operating such system as required or authorized by law."
Response: We acknowledge that such entities may be engaged in disease-specific or other data collection activities that provide a benefit to their members and others affected by a particular malady and that they contribute to the public health and scientific database on low incidence or little known conditions. However, in the absence of some nexus to a government public health authority or other underlying legal authority, it is unclear upon what basis covered entities can determine which registries or collections are "legitimate" and how the confidentiality of the registry information will be protected. Commenters did not suggest methods for "validating" these private registry programs, and no such methods currently exist at the federal level. It is unknown whether any states have such a program. Broadening the exemption could provide a loophole for private data collections for inappropriate purposes or uses under a "public health" mask.
In this rule, we do not seek to make judgments as to the legitimacy of private entities' disease-specific registries or of private data collection endeavors. Rather, we establish the general terms and conditions for disclosure and use of protected health information. Under the final rule, covered entities may obtain authorization to disclose protected health information to private entities seeking to establish registries or other databases; they may disclose protected health information as required by law; or they may disclose protected health information to such entities if they meet the conditions of one of the provisions of §§ 164.510 or 164.512. We believe that the circumstances under which covered entities may disclose protected health information to private entities should be limited to specified national priority purposes, as reflected through the FDA requirements or directives listed in § 164.512(b)(iii), and to enable recalls, repairs, or replacements of products regulated by the FDA. Disclosures by covered health care providers who are workforce members of an employer or are conducting evaluations relating to work-related injuries or illnesses or workplace surveillance also may disclose protected health information to employers of findings of such evaluations that are necessary for the employer to comply with requirements under OSHA and related laws.
Comment: Several commenters said that the NPRM did not indicate how to distinguish between public health data collections and government health data systems. They suggested eliminating proposed § 164.510(g) on disclosures and uses for government health data systems, because they believed that such disclosures and uses were adequately covered by proposed § 164.510(b) on public health.
Response: As discussed below, we agree with the commenters who suggested that the proposed provision that would have permitted disclosures to government health data bases was overly broad, and we remove it from the final rule. We reviewed the important purposes for which some commenters said government agencies needed protected health information, and we believe that most of those needs can be met through the other categories of permitted uses and disclosures without authorization allowed under the final rule, including provisions permitting covered entities to disclose information (subject to certain limitations) to government agencies for public health, health oversight, law enforcement, and otherwise as required by law. For example, the final rule continues to allow collection of protected health information without authorization to monitor trends in the spread of infectious disease, morbidity and mortality.
Comment: Several commenters recommended expanding the scope of disclosures permissible under proposed § 164.510(b)(1)(iii), which would have allowed covered entities to disclose protected health information to private entities that could demonstrate that they were acting to comply with requirements, or at the direction, of a public health authority. These commenters said that they needed to collect individually identifiable health information in the process of drug and device development, approval, and post-market surveillance – activities that are related to, and necessary for, the FDA regulatory process. However, they noted that the specific data collections involved were not required by FDA regulations. Some commenters said that they often devised their own data collection methods, and that health care providers disclosed information to companies voluntarily for activities such as post-marketing surveillance and efficacy surveys. Commenters said they used this information to comply with FDA requirements such as reporting adverse events, filing other reports, or recordkeeping. Commenters indicated that the FDA encouraged but did not require them to establish other data collection mechanisms, such as pregnancy registries that track maternal exposure to drugs and the outcomes.
Accordingly, several commenters recommended modifying proposed § 164.510(b) to allow covered entities to disclose protected health information without authorization to manufacturers registered with the FDA to manufacture, distribute, or sell a prescription drug, device, or biological product, in connection with post-marketing safety and efficacy surveillance or for the entity to obtain information about the drug, device, or product or its use. One commenter suggested including in the regulation an illustrative list of examples of FDA-related requirements, and stating in the preamble that all activities taken in furtherance of compliance with FDA regulations are "public health activities."
Response: We recognize that the FDA conducts or oversees many activities that are critical to help ensure the safety or effectiveness of the many products it regulates. These activities include, for example, reporting of adverse events, product defects and problems; product tracking; and post-marketing surveillance. In addition, we believe that removing defective or harmful products from the market is a critical national priority and is an important tool in FDA efforts to promote the safety and efficacy of the products it regulates. We understand that in most cases, the FDA lacks statutory authority to require product recalls. We also recognize that the FDA typically does not conduct recalls, repairs, or product replacement surveillance directly, but rather, that it relies on the private entities it regulates to collect data, notify patients when applicable, repair and replace products, and undertake other activities to promote the safety and effectiveness of FDA-regulated products.
We believe, however, that modifying the NPRM to allow disclosure of protected health information to private entities as part of any data-gathering activity related to a drug, device, or biological product or its use, or for any activity that is consistent with, or that appears to promote objectives specified, in FDA regulation would represent an inappropriately broad exception to the general requirement to obtain authorization prior to disclosure. Such a change could allow, for example, drug companies to collect protected health information without authorization to use for the purpose of marketing pharmaceuticals. We do not agree that all activities taken to promote compliance with FDA regulations represent public health activities as that term is defined in this rule. In addition, we believe it would not be appropriate to include in the regulation text an "illustrative list" of requirements "related to" the FDA. The regulation text and preamble list the FDA-related activities for which we believe disclosure of protected health information to private entities without authorization is warranted.
We believe it is appropriate to allow disclosure of protected health information without authorization to private entities only: for purposes that the FDA has, in effect, identified as national priorities by issuing regulations or express directions requiring such disclosure; or if such disclosure is necessary for a product recall. For example, we believe it is appropriate to allow covered health care providers to disclose to a medical device manufacturer recalling defective heart valves the names and last known addresses of patients in whom the provider implanted the valves. Thus, in the final rule, we allow covered entities to disclose protected health information to entities subject to FDA jurisdiction for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA. The preamble above provides further detail on the meaning of some of the terms in this list. Covered entities may disclose protected health information to entities for activities other than those described above only as required by law; with authorization; or if permissible under another section of this rule.
We understand that many private registries, such as pregnancy registries, currently obtain patient authorization for data collection. We believe the approach of § 164.512(b) strikes an appropriate balance between the objective of promoting patient privacy and control over their health information and the objective of allowing private entities to collect data that ultimately may have important public health benefits.
Comment: One commenter remarked that our proposal may impede fetal/infant mortality and child fatality reviews.
Response: The final rule permits a covered entity to disclose protected health information to a public health authority authorized by law to conduct public health activities, including the collection of data relevant to death or disease, in accordance with § 164.512(b). Such activities may also meet the definition of "health care operations." We therefore do not believe this rule impedes these activities.
Comment: Several comments requested that the final regulation clarify that employers be permitted to use and/or disclose protected health information pursuant to the requirements of the Occupational Safety and Health Act and its accompanying regulations ("OSHA"). A few comments asserted that the regulation should not only permit employers to use and disclose protected health information without first obtaining an authorization consistent with OSHA requirements, but also permit them to use and disclose protected health information if the use or disclosure is consistent with the spirit of OSHA. One commenter supported the permissibility of these types of uses and disclosures, but warned that the regulation should not grant employers unfettered access to the entire medical record of employees for the purpose of meeting OSHA requirements. Other commenters noted that OSHA not only requires disclosures to the Occupational Safety and Health Administration, but also to third parties, such as employers and employee representatives. Thus, this comment asked HHS to clarify that disclosures to third parties required by OSHA are also permissible under the regulation.
Response: Employers as such are not covered entities under HIPAA and we generally do not have authority over their actions. When an employer has a health care component, such as an on-site medical clinic, and the components meets the requirements of a covered health care provider, health plan or health care clearinghouse, the uses and disclosures of protected health information by the health care component, including disclosures to the larger employer entity, are covered by this rule and must comply with its provisions.
A covered entity, including a covered health care provider, may disclose protected health information to OSHA under § 164.512(a), if the disclosure is required by law, or if the disclosure is a discretionary one for public health activities, under § 164.512(b). Employers may also request employees to provide authorization for the employer to obtain protected health information from covered entities to conduct analyses of work-related health issues. See § 164.508.
We also permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty to keep records on or act on such information under the OSHA or similar laws. We added this provision to ensure that employers are able to obtain the information that they need to meet federal and state laws designed to promote safer and healthier workplaces. These laws are vital to protecting the health and safety of workers and we permit specified covered health care providers to disclose protected health information as necessary to carry out these purposes.
Comment: A few comments suggested that the final regulation clarify how it would interact with existing and pending OSHA requirements. One of these comments requested that the Secretary delay the effective date of the regulation until reviews of existing requirements are complete.
Response: As noted in the "Relationship to Other Federal Laws" section of the preamble, we are not undertaking a complete review of all existing laws with which covered entities might have to comply. Instead we have described a general framework under which such laws may be evaluated. We believe that adopting national standards to protect the privacy of individually identifiable health information is an urgent national priority. We do not believe that it is appropriate to delay the effective date of this regulation.
Comment: One commenter asserted that the proposed regulation conflicted with the OSHA regulation requirement that when a designated representative (to whom the employee has already provided a written authorization to obtain access) requests a release form for access to employee medical records, the form must include the purpose for which the disclosure is sought, which the proposed privacy regulation does not require.
Response: We do not agree that this difference creates a conflict for covered entities. If an employer seeks to obtain a valid authorization under § 164.508, it may add a purpose statement to the authorization so that it complies with OSHA's requirements and is a valid authorization under § 164.508 upon which a covered entity may rely to make a disclosure of protected health information to the employer.
Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country.
Response: We permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance, as described in this paragraph. Information obtained by an employer under this paragraph would be available for it to use, consistent with other laws and regulations, as it chooses and throughout the national company. We do not regulate uses or disclosures of individually identifiable health information by employers acting as employers.