HIPAA Regulations: General Discussion on Relationship to Other Federal Laws
As Contained in the HHS HIPAA Rules
HHS Description |
Covered entities subject to these rules are also subject to other federal statutes and regulations. For example, federal programs must comply with the statutes and regulations that govern them. Pursuant to their contracts, Medicare providers must comply with the requirements of the Privacy Act of 1974. Substance abuse treatment facilities are subject to the Substance Abuse Confidentiality provisions of the Public Health Service Act, section 543 and its regulations. And, health care providers in schools, colleges, and universities may come within the purview of the Family Educational Rights and Privacy Act. Thus, covered entities will need to determine how the privacy regulation will affect their ability to comply with these other federal laws.
Many commenters raised questions about how different federal statutes and regulations intersect with the privacy regulation. While we address specific concerns in the response to comments later in the preamble, in this section, we explore some of the general interaction issues. These summaries do not identify all possible conflicts or overlaps of the privacy regulation and other federal laws, but should provide general guidance for complying with both the privacy regulation and other federal laws. The summaries also provide examples of how covered entities can analyze other federal laws when specific questions arise. HHS may consult with other agencies concerning the interpretation of other federal laws as necessary.
HHS Response to Comments Received Relationship to Other Federal Laws - General Discussion |
Comment: We received several comments that sought clarification of the interaction of various federal laws and the privacy regulation. Many of these comments simply listed federal laws and regulations with which the commenter currently must comply. For example, commenters noted that they must comply with regulations relating to safety, public health, and civil rights, including Medicare and Medicaid, the Americans with Disabilities Act, the Family and Medical Leave Act, the Federal Aviation Administration regulations, the Department of Transportation regulations, the Federal Highway Administration regulations, the Occupational Safety and Health Administration regulations, and the Environmental Protection Agency regulations, and alcohol and drug free workplace rules. These commenters suggested that the regulation state clearly and unequivocally that uses or disclosures of protected health information for these purposes were permissible. Some suggested modifying the definition of health care operations to include these uses specifically. Another suggestion was to add a section that permitted the transmission of protected health information to employers when reasonably necessary to comply with federal, state, or municipal laws and regulations, or when necessary for public or employee safety and health.
Response: Although we sympathize with entities' needs to evaluate the existing laws with which they must comply in light of the requirements of the final regulation, we are unable to respond substantially to comments that do not pose specific questions. We offer, however, the following guidance: if an covered entity is required to disclose protected health information pursuant to a specific statutory or regulatory scheme, the covered entity generally will be permitted under Sec. 164.512(a) to make these disclosures without a consent or authorization; if, however, a statute or regulation merely suggests a disclosure, the covered entity will need to determine if the disclosure comes within another category of permissible disclosure under Secs. 164.510 or 164.512 or, alternatively, if the disclosure would otherwise come within Sec. 164.502. If not, the entity will need to obtain a consent or authorization for the disclosure.
Comment: One commenter sought clarification as to when a disclosure is considered to be "required" by another law versus "permitted" by that law.
Responses: We use these terms according to their common usage. By "required by law," we mean that a covered entity has a legal obligation to disclose the information. For example, if a statute states that a covered entity must report the names of all individuals presenting with gunshot wounds to the emergency room or else be fined $500 for each violation, a covered entity would be required by law to disclose the protected health information necessary to comply with this mandate. The privacy regulation permits this type of disclosure, but does not require it. Therefore, if a covered entity chose not to comply with the reporting statute it would violate only the reporting statute and not the privacy regulation.
On the other hand, if a statute stated that a covered entity may or is permitted to report the names of all individuals presenting with gunshot wounds to the emergency room and, in turn, would receive $500 for each month it made these reports, a covered entity would not be permitted by Sec. 164.512(a) to disclose the protected health information. Of course, if another permissible provision applied to these facts, the covered entity could make the disclosure under that provision, but it would not be considered to be a disclosure. See discussion under Sec. 164.512(a) below.
Comment: Several commenters suggested that the proposed rule was unnecessarily duplicative of existing regulations for federal programs, such as Medicare, Medicaid, and the Federal Employee Health Benefit Program.
Response: Congress specifically subjected certain federal programs, including Medicare, Medicaid, and the Federal Employee Health Benefit Program to the privacy regulation by including them within the definition of "health plan." Therefore, covered entities subject to requirements of existing federal programs will also have to comply with the privacy regulation.
Comment: One comment asserts that the regulation would not affect current federal requirements if the current requirements are weaker than the requirements of the privacy regulation. This same commenter suggested that current federal requirements will trump both state law and the proposed regulation, even if Medicaid transactions remain wholly intrastate.
Response: We disagree. As noted in our discussion of "Relationship to Other Federal Laws," each law or regulation will need to be evaluated individually. We similarly disagree with the second assertion made by the commenter. The final rule will preempt state laws only in specific instances. For a more detailed analysis, see the preamble discussion of "Preemption."
Administrative Subpoenas
Comment: One comment stated that the final rule should not impose new standards on administrative subpoenas that would conflict with existing laws or administrative or judicial rules that establish standards for issuing subpoenas. Nor should the final rule conflict with established standards for the conduct of administrative, civil, or criminal proceedings, including the rules regarding the discovery of evidence. Other comments sought further restrictions on access to protected health information in this context.
Response: Section 164.512(e) below addresses disclosures for judicial and administrative proceedings. The final rules generally do not interfere with these existing processes to the extent an individual served with a subpoena, court order, or other similar process is able to raise objections already available. See the discussion below under Sec. 164.512(e) for a fuller response.