HIPAA Privacy Regulations: Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Health Oversight Activities - § 164.512(d)
As Contained in the HHS HIPAA Privacy Rules
HHS Regulations |
(d) Standard: Uses and disclosures for health oversight activities—(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health information is relevant to beneficiary eligibility;
(iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
(iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.
(2) Exception to health oversight activities. For the purpose of the disclosures permitted by paragraph (d)(1) of this section, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:
(i) The receipt of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.
(3) Joint activities or investigations. Notwithstanding paragraph (d)(2) of this section, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of paragraph (d) of this section.
(4) Permitted uses. If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph (d) of this section.
HHS Description Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Uses and Disclosures for Health Oversight Activities |
Under § 164.510(c) of the NPRM, we proposed to permit covered entities to disclose protected health information to health oversight agencies for oversight activities authorized by law, including audit, investigation, inspection, civil, criminal, or administrative proceeding or action, or other activity necessary for appropriate oversight of: (i) the health care system; (ii) government benefit programs for which health information is relevant to beneficiary eligibility; or (iii) government regulatory programs for which health information is necessary for determining compliance with program standards.
In § 164.512(d) of the final rule, we modify the proposed language to include civil and criminal investigations. In describing "other activities necessary for oversight" of particular entities, we add the phrase "entities subject to civil rights laws for which health information is necessary for determining compliance." In addition, in the final rule, we add "licensure or disciplinary actions" to the list of oversight activities authorized by law for which covered entities may disclose protected health information to health oversight agencies. The NPRM's definition of "health oversight agency" (in proposed § 164.504) included this phrase, but it was inadvertently excluded from the regulation text at proposed § 164.510(c). We make this change in the regulation text of the final rule to conform to the NPRM's definition of health oversight agency and to reflect the full range of activities for which we intend to allow covered entities to disclose protected health information to health oversight agencies.
The NPRM would have allowed, but would not have required, covered entities to disclose protected health information to public oversight agencies and to private entities acting under grant of authority from or under contract with oversight agencies for oversight purposes without individual authorization for health oversight activities authorized by law. When a covered entity was also an oversight agency, it also would have been permitted to use protected health information in all cases in which it would have been allowed to disclose such information for health oversight purposes. The NPRM would not have established any new administrative or judicial process prior to disclosure for health oversight, nor would it have permitted disclosures forbidden by other law. The proposed rule also would not have created any new right of access to health records by oversight agencies, and it could not have been used as authority to obtain records not otherwise legally available to the oversight agency.
The final rule retains this approach to health oversight. As in the NPRM, the final rule provides that when a covered entity is also an oversight agency, it is allowed to use protected health information in all cases in which it is allowed to disclose such information for health oversight purposes. For example, if a state insurance department is acting as a health plan in operating the state's Medicaid managed care program, the final rule allows the insurance department to use protected health information in all cases for which the plan can disclose the protected health information for health oversight purposes. For example, the state insurance department in its capacity as the state Medicaid managed care plan can use protected health information in the process of investigating and disciplining a state Medicaid provider for attempting to defraud the Medicaid system. As in the NPRM, the final rule does not establish any new administrative or judicial process prior to disclosure for health oversight, nor does it prohibit covered entities from making any disclosures for health oversight that are otherwise required by law. Like the NPRM, it does not create any new right of access to health records by oversight agencies and it cannot be used as authority to obtain records not otherwise legally available to the oversight agency.
Overlap Between Law Enforcement and Oversight
Under the NPRM, the proposed definitions of law enforcement and oversight, and the rules governing disclosures for these purposes overlapped. Specifically, this overlap occurred because: (1) the NPRM preamble, but not the NPRM regulation text, indicated that agencies conducting both oversight and law enforcement activities would be subject to the oversight requirements when conducting oversight activities; and (2) the NPRM addressed some disclosures for investigations of health care fraud in the law enforcement paragraph (proposed § 164.510(f)(5)(i)), while health care fraud investigations are central to the purpose of health care oversight agencies (covered under proposed § 164.510(c)). In the final rule, we make substantial changes to these provisions, in an attempt to prevent confusion.
In § 164.512(d)(2), we include explicit decision rules indicating when an investigation is considered law enforcement and when an investigation is considered oversight under this regulation. An investigation or activity is not considered health oversight for purposes of this rule if: (1) the individual is the subject of the investigation or activity; and (2) the investigation or activity does not arise out of and is not directly related to: (a) the receipt of health care; (b) a claim for public benefits related to health; or (c) qualification for, or receipt of public benefits or services where a patient's health is integral to the claim for benefits or services. In such cases, where the individual is the subject of the investigation and the investigation does not relate to issues (a) through (c), the rules regarding disclosure for law enforcement purposes (see § 164.512(f)) apply. For the purposes of this rule, we intend for investigations regarding issues (a) through (c) above to mean investigations of health care fraud.
Where the individual is not the subject of the activity or investigation, or where the investigation or activity relates to the subject matter in (a) through (c) of the preceding sentence, a covered entity may make a disclosure pursuant to § 164.512(d)(1). For example, when the U.S. Department of Labor's Pension and Welfare Benefits Administration (PWBA) needs to analyze protected health information about health plan enrollees in order to conduct an audit or investigation of the health plan (i.e., the enrollees are not subjects of the investigation) to investigate potential fraud by the plan, the health plan may disclose protected health information to the PWBA under the health oversight rules. These rules and distinctions are discussed in greater detail in our responses to comments.
To clarify further that health oversight disclosure rules apply generally in health care fraud investigations (subject to the exception described above), in the final rule, we eliminate proposed § 164.510(f)(5)(i), which would have established requirements for disclosure related to health care fraud for law enforcement purposes. All disclosures of protected health information that would have been permitted under proposed § 164.510(f)(5)(i) are permitted under § 164.512(d).
In the final rule, we add new language (§ 164.512(d)(3)) to address situations in which health oversight activities are conducted in conjunction with an investigation regarding a claim for public benefits not related to health (e.g., claims for Food Stamps). In such situations, for example, when a state Medicaid agency is working with the Food Stamps program to investigate suspected fraud involving Medicaid and Food Stamps, covered entities may disclose protected health information to the entities conducting the joint investigation under the health oversight provisions of the rule.
In the proposed rule, the definitions of "law enforcement proceeding" and "oversight activity" both included the phrase "criminal, civil, or administrative proceeding." For reasons explained below, the final rule retains this phrase in both definitions. The final rule does not attempt to distinguish between these activities based on the agency undertaking them or the applicable enforcement procedures. Rather, as described above, the final rule carves out certain activities which must always be considered law enforcement for purposes of disclosure of protected health information under this rule.
Additional Considerations
We note that covered entities are permitted to initiate disclosures that are permitted under this paragraph. For example, a covered entity could disclose protected health information in the course of reporting suspected health care fraud to a health oversight agency.
We delete language in the NPRM that would have allowed disclosure under this section only to law enforcement officials conducting or supervising an investigation, official inquiry, or a criminal, civil or administrative proceeding authorized by law. In some instances, a disclosure by a covered entity under this section will initiate such an investigation or proceeding, but it will not already be ongoing at the time the disclosure is made.
HHS Response to Comments Received Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Uses and Disclosures for Health Oversight Activities |
Comment: A couple of commenters supported the NPRM's approach to health oversight. Several other commenters generally supported the NPRM's approach to disclosure of protected health information for national priority purposes, and they recommended some clarification regarding disclosure for health oversight. Two commenters recommended clarifying in the final rule that disclosure is allowed to all federal, state, and local agencies that use protected health information to carry out legally mandated responsibilities.
Response: The final rule permits disclosures to public agencies that meet the definition of a health oversight agency and for oversight of the particular areas described in the statute. Section 164.512(a) of the final rule permits disclosures that are required by law. As discussed in the responses to comments of § 164.512(a), we do not in the final rule permit disclosures merely authorized by other laws that do not fit within the other public policy purposes recognized by the rule.
Comment: One commenter recommended clarifying in the final rule that covered entities are not required to establish business partner contracts with health oversight agencies or public health authorities to release individually identifiable information to them for purposes exempt from HIPAA and sanctioned by state law.
Response: The final rule does not require covered entities to establish business associate contracts with health oversight agencies when they disclose protected health information to these agencies for oversight purposes.
Comment: Two commenters recommended clarifying in the regulation text that the health oversight section does not create a new right of access to protected health information.
Response: We agree and include such a statement in the preamble of § 164.512(d) of the final rule.
Comment: Several commenters were concerned that the proposed oversight section allowed but did not require disclosure of protected health information to health oversight agencies for oversight activities.
Response: This rule's purpose is to protect the privacy of individually identifiable health information. Except to enforce the rule and to establish individuals' right to access their own protected health information (see § 164.502(a)(2)), we do not require disclosure of protected health information to any person or entity. We allow such disclosure for situations in which other laws require disclosure.
Comment: Some commenters were concerned that the NPRM would have allowed health oversight agencies to re-use and redisclose protected health information to other entities, and they were particularly concerned about re-disclosure to and re-use by law enforcement agencies. One commenter believed that government agencies would use the label of health oversight to gain access to protected health information from covered entities – thereby avoiding the procedural requirements of the law enforcement section (proposed § 164.510(f)) and subsequently would turn over information to law enforcement officials. Thus, these groups were concerned that the potential for oversight access to protected health information under the rule to become the "back door" to law enforcement access to such information.
Based on their concerns, these commenters recommended establishing a general prohibition on the re-use and re-disclosure of protected health information obtained by health oversight agencies in actions against individuals. One health plan expressed general concern about re-disclosure among all of the public agencies covered in the proposed § 164.510. It recommended building safeguards into the rule to prevent information gathered for one purpose (for example, public health) from being used for another purpose (such as health oversight).
Many of the commenters concerned about re-disclosure of protected health information obtained for oversight purposes said that if the Secretary lacked statutory authority to regulate oversight agencies' re-disclosure of protected health information and the re-use of this information by other agencies covered in proposed § 164.510, the President should issue an Executive Order barring such re-disclosure and re-use. One of these groups specified that the Executive Order should bar re-use and re-disclosure of protected health information in actions against individuals.
In contrast, some commenters advocated information-sharing between law enforcement and oversight agencies. Most of these commenters recognized that the NPRM would have allowed re-use and re-disclosure of protected health information from oversight to law enforcement agencies, and they supported this approach.
Response: We believe that the language we have added to the rule, at § 164.512(d)(2) and the corresponding explanation in the preamble, to clarify the boundary between disclosures for health oversight and for law enforcement purposes should partially address the concern expressed by some that oversight agencies will be the back door for access by law enforcement. In situations when the individual is the subject of an investigation or activity and the investigation or activity is not related to health care fraud, the requirements for disclosure to law enforcement must be met, and an oversight agency cannot request the information under its more general oversight authority.
We acknowledge, however, that there will be instances under the rule when a health oversight agency (or a law enforcement agency in its oversight capacity) that has obtained protected health information appropriately will be able to redisclose the information to a law enforcement agency for law enforcement purposes. Under HIPAA, we have the authority to restrict re-disclosure of protected health information only by covered entities. Re-disclosures by public agencies such as oversight agencies are not within the purview of this rule. We support the enactment of comprehensive privacy legislation that would govern such public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities. For example, such use will be subject to review by the Deputy Attorney General.
Comment: Several commenters recommended modifying the proposed oversight section to require health oversight officials to justify and document their need for identifiable information.
Response: We encourage covered entities to work with health oversight agencies to determine the scope of information needed for health oversight inquiries. However, we believe that requiring covered entities to obtain extensive documentation of health oversight information needs could compromise health oversight agencies' ability to complete investigations, particularly when an oversight agency is investigating the covered entity from which it is seeking information.
Comment: Several commenters believed that health oversight activities could be conducted without access to individually identifiable health information. Some of these groups recommended requiring information provided to health oversight agencies to be de-identified to the extent possible.
Response: We encourage health oversight agencies to use de-identified information whenever possible to complete their investigations. We recognize, however, that in some cases, health oversight agencies need identifiable information to complete their investigations. For example, as noted in the preamble to the NPRM, to determine whether a hospital has engaged in fraudulent billing practices, it may be necessary to examine billing records for a set of individual cases. Similarly, to determine whether a health plan is complying with federal or state health care quality standards, it may be necessary to examine individually identifiable health information in comparison with such standards. Thus, to allow health oversight agencies to conduct the activities that are central to their mission, the final rule does not require covered entities to de-identify protected health information before disclosing it to health oversight organizations.
Comment: One commenter recommended requiring whistleblowers, pursuant to proposed § 164.518(a)(4) of the NPRM, to raise the issue of a possible violation of law with the affected covered entity before disclosing such information to an oversight agency, attorney, or law enforcement official.
Response: We believe that such a requirement would be inappropriate, because it would create the potential for covered entities that are the subject of whistleblowing to take action to evade law enforcement and oversight action.
Comment: One commenter recommended providing an exemption from the proposed rule's requirements for accounting for disclosures when such disclosures were for health oversight purposes.
Response: We recognize that in some cases, informing individuals that their protected health information has been disclosed to a law enforcement official or to a health oversight agency could compromise the ability of law enforcement and oversight officials to perform their duties appropriately. Therefore, in the final rule, we retain the approach of proposed § 164.515 of the NPRM. Section 164.528(a)(2) of the final rule states that an individual's right to receive an accounting of disclosures to a health oversight agency, law enforcement official, or for national security or intelligence purposes may be temporarily suspended for the time specified by the agency or official. As described in § 164.528(a)(2), for such a suspension to occur, the agency or official must provide the affected covered entity with a written request stating that an accounting to the individual would be reasonably likely to impede the agency's activity. The request must specify the time for which the suspension is required. We believe that providing a permanent exemption to the right to accounting for disclosures for health oversight purposes would fail to ensure that individuals are sufficiently informed about the extent of disclosures of their protected health information.
Comment: One commenter recommended making disclosures to health oversight agencies subject to a modified version of the NPRM's proposed three-part test governing disclosure of protected health information to law enforcement pursuant to an administrative request (as described in proposed § 164.510(f)(1)).
Response: We disagree that it would be appropriate to apply the procedural requirements for law enforcement to health oversight. We apply more extensive procedural requirements to law enforcement disclosures than to disclosures for health oversight because we believe that law enforcement investigations more often involve situations in which the individual is the subject of the investigation (and thus could suffer adverse consequences), and we believe that it is appropriate to provide greater protection to individuals in such cases. Health oversight involves investigations of institutions that use health information as part of business functions, or of individuals whose health information has been used to obtain a public benefit. These circumstances justify broader access to information.
Overlap Between Law Enforcement and Oversight
Comment: Some commenters expressed concern that the NPRM's provisions permitting disclosures for health oversight and disclosures for law enforcement overlapped, and that the overlap could create confusion among covered entities, members of the public, and government agencies. The commenters identified particular factors that could lead to confusion, including that (1) the phrase "criminal, civil, or administrative proceeding" appeared in the definitions of both law enforcement and oversight; (2) the examples of oversight agencies listed in the preamble included a number of organizations that also conduct law enforcement activities; (3) the NPRM addressed the issue of disclosures to investigate health care fraud in the law enforcement section (§ 164.510(f)(5)), yet health care fraud investigations are central to the mission of some health care oversight agencies; (4) the NPRM established more stringent rules for disclosure of protected health information pursuant to an administrative subpoena issued for law enforcement than for disclosure pursuant to an oversight agency's administrative subpoena; and (5) the preamble, but not the NPRM regulation text, indicated that agencies conducting both oversight and law enforcement activities would be subject to the oversight requirements when conducting oversight activities.
Some commenters said that covered entities would be confused by the overlap between law enforcement and oversight and that this concern would lead to litigation over which rules should apply when an entity engaged in more than one of the activities listed under the exceptions in proposed § 164.510. Other commenters believed that covered entities could manipulate the NPRM's ambiguities in their favor, claim that the more stringent law enforcement disclosure rules always should apply, and thereby delay investigations. A few comments suggested that the confusion could be clarified by making the regulation text consistent with the preamble, by stating that when agencies conducting both law enforcement and oversight seek protected health information as part of their oversight activities, the oversight rules would apply.
Response: We agree that the boundary between disclosures for health oversight and disclosures for law enforcement proposed in the NPRM could have been more clear. Because many investigations, particularly investigations involving public benefit programs, have both health oversight and law enforcement aspects to them, and because the same agencies often perform both functions, drawing any distinction between the two functions is necessarily difficult. For example, traditional law enforcement agencies, such as the Federal Bureau of Investigation, have a significant role in health oversight. At the same time, traditional health oversight agencies, such as federal Offices of Inspectors General, often participate in criminal investigations.
To clarify the boundary between law enforcement and oversight for purposes of complying with this rule, we add new language in the final rule, at § 164.512(d)(2). This section indicates that health oversight activities do not include an investigation or activity in which the individual is the subject of the investigation or activity and the investigation or activity does not arise out of and is not directly related to health care fraud. In this rule, we describe investigations involving suspected health care fraud as investigations related to: (1) the receipt of health care; (2) a claim for public benefits related to health; or (3) qualification for, or receipt of public benefits or services where a patient's health is integral to the claim for public benefits or services. In such cases, where the individual is the subject of the investigation and the investigation does not relate to health care fraud, identified as investigations regarding issues (a) through (c), the rules regarding disclosure for law enforcement purposes (see § 164.512(f)) apply.
Where the individual is not the subject of the activity or investigation, or where the investigation or activity relates to health care fraud, a covered entity may make a disclosure pursuant to § 164.512(d)(1), allowing uses and disclosures for health oversight activities. For example, when the U.S. Department of Labor's Pension and Welfare Benefits Administration (PWBA) needs to analyze protected health information about health plan enrollees in order to conduct an audit or investigation of the health plan (i.e., the enrollees are not subjects of the investigation) to investigate potential fraud by the health plan, the health plan may disclose protected health information to the PWBA under the health oversight rules.
To clarify further that health oversight disclosure rules apply generally in health care fraud investigations (subject to the exception described above), in the final rule, we eliminate proposed § 164.510(f)(5)(i), which would have established requirements for disclosure related to health fraud for law enforcement purposes. All disclosures of protected health information that would have been permitted under proposed § 164.510(f)(5)(i) are permitted under § 164.512(d).
We also recognize that sections 201 and 202 of HIPAA, which established a federal Fraud and Abuse Control Program and the Medicare Integrity Program, identified health care fraud-fighting as a critical national priority. Accordingly, under the final rule, in joint law enforcement/oversight investigations involving suspected health care fraud, the health oversight disclosures apply, even if the individual also is the subject of the investigation.
We also recognize that in some cases, health oversight agencies may conduct joint investigations with other oversight agencies involved in investigating claims for benefits unrelated to health. For example, in some cases, a state Medicaid agency may be working with officials of the Food Stamps program to investigate suspected fraud involving Medicaid and Food Stamps. While this issue was not raised specifically in the comments, we add new language (§ 164.512(d)(3)) to provide guidance to covered entities in such situations. Specifically, we clarify that if a health oversight investigation is conducted in conjunction with an oversight activity related to a claim for benefits unrelated to health, the joint activity or investigation is considered health oversight for purposes of the rule, and the covered entities may disclose protected health information pursuant to the health oversight provisions.
Comment: An individual commenter recommended requiring authorization for disclosure of patient records in fraud investigations, unless the individual was the subject or target of the investigation. This commenter recommended requiring a search warrant for cases in which the individual was the subject and stating that fraud investigators should have access to the minimum necessary patient information.
Response: As described above, we recognize that in some cases, activities include elements of both law enforcement and health oversight. Because we consider both of these activities to be critical national priorities, we do not require covered entities to obtain authorization for disclosure of protected health information to law enforcement or health oversight agencies – including those oversight activities related to health care fraud. We believe that investigations involving health care fraud represent health oversight rather than law enforcement. Accordingly, as indicated above, we remove proposed § 164.510(f)(5)(i) from the law enforcement section of the proposed rule and clarify that all disclosures of protected health information for health oversight are permissible without authorization. As discussed in greater detail in § 164.514, the final rule's minimum necessary standard applies to disclosures under § 164.512 unless the disclosure is required by law under § 164.512(a).
Comment: A large number of commenters expressed concern about the potential for health oversight agencies to become, in effect, the "back door" for law enforcement access to such information. The commenters suggested that health oversight agencies could use their relatively unencumbered access to protected health information to circumvent the more stringent process requirements that otherwise would apply to disclosures for law enforcement purposes. These commenters urged us to prohibit health oversight agencies from re-disclosing protected health information to law enforcement.
Response: As indicated above, we do not intend for the rule's permissive approach to health oversight or the absence of specific documentation to permit the government to gather large amounts of protected health information for purposes unrelated to health oversight as defined in the rule, and we do not intend for these oversight provisions to serve as a "back door" for law enforcement access to protected health information. While we do not have the statutory authority to regulate law enforcement and oversight agencies' re-use and re-disclosure of protected health information, we strongly support enactment of comprehensive privacy legislation that would govern public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities.
Comment: One commenter asked us to allow the requesting agency to decide whether a particular request for protected health information was for law enforcement or oversight purposes.
Response: As described above, we clarify the overlap between law enforcement disclosures and health oversight disclosures based on the privacy and liberty interests of the individual (whether the individual also is the subject of the official inquiry) and the nature of the public interest (whether the inquiry relates to health care fraud or to another potential violation of law). We believe it is more appropriate to establish these criteria than to leave the decision to the discretion of an agency that has a stake in the outcome of the investigation.