Information about definition of protected health information





 

 

 
Home   Contact   Site Map
Firm InformationAttorneysIndustries Practices Publications
SeminarsRecruitingResource Centers
 

Search HIPAA
Related Services

Health Care
Insurance
Employment
Health & Insurance

 
 

 
Return to HIPAA Regulations Index

Download changes to HIPAA contained in the 2009 Federal Stimulus Bill
H.R. 1
DEFINITIONS - PROTECTED HEALTH INFORMATION
SECTION 160.103
As Contained in the HHS Final HIPAA Privacy Rules

HHS Regulations as Amended August 2002
Definitions - Protected Health Information - § 160.103
Protected health information means individually identifiable health
information:

1. 
Except as provided in paragraph (2) of this definition, that is:

i. 
Transmitted by electronic media;

ii. 
Maintained in electronic media; or

iii. 
Transmitted or maintained in any other form or medium.

2. 
Protected health information excludes individually identifiable
health information in:

i. 
Education records covered by the Family Educational Right and
Privacy Act, as amended, 20 U.S.C. 1232g;

ii. 
Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

iii. 
Employment records held by a covered entity in its role as an
employer.

HHS Description of and Commentary on August 2002 Revisions
Definitions - Protected Health Information
Exclusion for Employment Records.

December 2000 Privacy Rule. The Privacy Rule broadly defines
"protected health information" as individually identifiable health
information maintained or transmitted by a covered entity in any form
or medium. The December 2000 Privacy Rule expressly excluded from the
definition of "protected health information" only educational and
other records that are covered by the Family Education Rights and
Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition,
throughout the December 2000 preamble to the Privacy Rule, the
Department repeatedly stated that the Privacy Rule does not apply to
employers, nor does it apply to the employment functions of covered
entities, that is, when they are acting in their role as employers.
For example, the Department stated:
Covered entities must comply with this regulation in their health care
capacity, not in their capacity as employers. For example, information
in hospital personnel files about a nurses' (sic) sick leave is not
protected health information under this rule.

65 FR 82612. However, the definition of protected health information
did not expressly exclude personnel or employment records of covered
entities.
March 2002 NPRM. The Department understands that covered entities are
also employers, and that this creates two potential sources of
confusion about the status of health information. First, some
employers are required or elect to obtain health information about
their employees, as part of their routine employment activities e.g.,
hiring, compliance with the Occupational Safety and Health
Administration (OSHA) requirements. Second, employees of covered
health care providers or health plans sometimes seek treatment or
reimbursement from that provider or health plan, unrelated to the
employment relationship.

To avoid any confusion on the part of covered entities as to
application of the Privacy Rule to the records they maintain as
employers, the Department proposed to modify the definition of
"protected health information" in § 164.501 to expressly exclude
employment records held by a covered entity in its role as employer.
The proposed modification also would alleviate the situation where a
covered entity would feel compelled to elect to designate itself as a
hybrid entity solely to carve out its employment functions.
Individually identifiable health information maintained or transmitted
by a covered entity in its health care capacity would, under the
proposed modification, continue to be treated as protected health
information.
The Department specifically solicited comments on whether the term
"employment records" is clear and what types of records would be
covered by the term.

In addition, as discussed in section III.C.1. below, the Department
proposed to modify the definition of a hybrid entity to permit any
covered entity that engaged in both covered and non-covered functions
to elect to operate as a hybrid entity. Under the proposed
modification, a covered entity that primarily engaged in covered
functions, such as a hospital, would be allowed to elect hybrid entity
status even if its only non-covered functions were those related to
its capacity as an employer. Indeed, because of the absence of an
express exclusion for employment records in the definition of
protected health information, some covered entities may have elected
hybrid entity status under the misconception that this was the only
way to prevent their personnel information from being treated as
protected health information under the Rule.
Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal.

The Department received comments both supporting and opposing the
proposal to add an exemption for employment records to the definition
of protected health information. Support for the proposal was based
primarily on the need for clarity and certainty in this important
area. Moreover, commenters supported the proposed exemption for
employment records because it reinforced and clarified that the
Privacy Rule does not conflict with an employer's obligation under
numerous other laws, including OSHA, Family and Medical Leave Act
(FMLA), workers' compensation, and alcohol and drug free workplace
laws.
Those opposed to the modification were concerned that a covered entity
may abuse its access to the individually identifiable health
information in its employment records by using that information for
discriminatory purposes. Many commenters expressed concern that an
employee's health information created, maintained, or transmitted by
the covered entity in its health care capacity would be considered an
employment record and, therefore, would not be considered protected
health information. Some of these commenters argued for the inclusion
of special provisions, similar to the "adequate separation"
requirements for disclosure of protected health information from group
health plan to plan sponsor functions ( § 164.504(f)), to heighten the
protection for an employee's individually identifiable health
information when moving between a covered entity's health care
functions and its employer functions.

A number of commenters also suggested types of records that the
Department should consider to be "employment records" and, therefore,
excluded from the definition of "protected health information." The
suggested records included records maintained under the FMLA or the
Americans with Disabilities Act (ADA), as well as records relating to
occupational injury, disability insurance eligibility, sick leave
requests and justifications, drug screening results, workplace medical
surveillance, and fitness-for-duty test results. One commenter
suggested that health information related to professional athletes
should qualify as an employment record.
Final Modifications. The Department adopts as final the proposed
language excluding employment records maintained by a covered entity
in its capacity as an employer from the definition of "protected
health information." The Department agrees with commenters that the
regulation should be explicit that it does not apply to a covered
entity's employer functions and that the most effective means of
accomplishing this is through the definition of "protected health
information."

The Department is sensitive to the concerns of commenters that a
covered entity not abuse its access to an employee's individually
identifiable health information which it has created or maintains in
its health care, not its employer, capacity. In responding to these
concerns, the Department must remain within the boundaries set by the
statute, which does not include employers per se as covered entities.
Thus, we cannot regulate employers, even when it is a covered entity
acting as an employer.
To address these concerns, the Department clarifies that a covered
entity must remain cognizant of its dual roles as an employer and as a
health care provider, health plan, or health care clearinghouse.
Individually identifiable health information created, received, or
maintained by a covered entity in its health care capacity is
protected health information. It does not matter if the individual is
a member of the covered entity's workforce or not. Thus, the medical
record of a hospital employee who is receiving treatment at the
hospital is protected health information and is covered by the Rule,
just as the medical record of any other patient of that hospital is
protected health information and covered by the Rule. The hospital may
use that information only as permitted by the Privacy Rule, and in
most cases will need the employee's authorization to access or use the
medical information for employment purposes. When the individual gives
his or her medical information to the covered entity as the employer,
such as when submitting a doctor's statement to document sick leave,
or when the covered entity as employer obtains the employee's written
authorization for disclosure of protected health information, such as
an authorization to disclose the results of a fitness for duty
examination, that medical information becomes part of the employment
record, and, as such, is no longer protected health information. The
covered entity as employer, however, may be subject to other laws and
regulations applicable to the use or disclosure of information in an
employee's employment record.

The Department has decided not to add a definition of the term
"employment records" to the Rule. The comments indicate that the same
individually identifiable health information about an individual may
be maintained by the covered entity in both its employment records and
the medical records it maintains as a health care provider or
enrollment or claims records it maintains as a health plan. The
Department therefore is concerned that a definition of "employment
record" may lead to the misconception that certain types of
information are never protected health information, and will put the
focus incorrectly on the nature of the information rather than the
reasons for which the covered entity obtained the information. For
example, drug screening test results will be protected health
information when the provider administers the test to the employee,
but will not be protected health information when, pursuant to the
employee's authorization, the test results are provided to the
provider acting as employer and placed in the employee's employment
record. Similarly, the results of a fitness for duty exam will be
protected health information when the provider administers the test to
one of its employees, but will not be protected health information
when the results of the fitness for duty exam are turned over to the
provider as employer pursuant to the employee's authorization.
Furthermore, while the examples provided by commenters represent
typical files or records that may be maintained by employers, the
Department does not believe that it has sufficient information to
provide a complete definition of employment record. Therefore, the
Department does not adopt as part of this rulemaking a definition of
employment record, but does clarify that medical information needed
for an employer to carry out its obligations under FMLA, ADA, and
similar laws, as well as files or records related to occupational
injury, disability insurance eligibility, sick leave requests and
justifications, drug screening results, workplace medical
surveillance, and fitness-for-duty tests of employees, may be part of
the employment records maintained by the covered entity in its role as
an employer.

Response to Other Public Comments.
Comment: One commenter requested clarification as to whether the term
"employment record" included the following information that is either
maintained or transmitted by a fully insured group health plan to an
insurer or HMO for enrollment and/or disenrollment purposes: (a) the
identity of an individual including name, address, birth date, marital
status, dependent information and SSN; (b) the individual's choice of
plan; (c) the amount of premiums/contributions for coverage of the
individual; (d) whether the individual is an active employee or
retired; (e) whether the individual is enrolled in Medicare.

Response: All of this information is protected health information when
held by a fully insured group health plan and transmitted to an issuer
or HMO, and the Privacy Rule applies when the group health plan
discloses such information to any entity, including the plan sponsor.
There are special rules in § 164.504(f) which describe the conditions
for disclosure of protected health information to the plan sponsor. If
the group health plan received the information from the plan sponsor,
it becomes protected health information when received by the group
health plan. The plan sponsor is not the covered entity, so this
information will not be protected when held by a plan sponsor, whether
or not it is part of the plan sponsor's "employment record."
Comment: One commenter asked for clarification as to how the
Department would characterize the following items that a covered
entity may have: (1) medical file kept separate from the rest of an
employment record containing (a) doctor's notes; (b) leave requests;
(c) physician certifications; and (d) positive hepatitis test results;
(2) FMLA documentation including: (a) physician certification form;
and (b) leave requests; (3) occupational injury files containing (a)
drug screening; (b) exposure test results; (c) doctor's notes; and (d)
medical director's notes.

Response: As explained above, the nature of the information does not
determine whether it is an employment record. Rather, it depends on
whether the covered entity obtains or creates the information in its
capacity as employer or in its capacity as covered entity. An
employment record may well contain some or all of the items mentioned
by the commenter; but so too might a treatment record. The Department
also recognizes that the employer may be required by law or sound
business practice to treat such medical information as confidential
and maintain it separate from other employment records. It is the
function being performed by the covered entity and the purpose for
which the covered entity has the medical information, not its record
keeping practices, that determines whether the health information is
part of an employment record or whether it is protected health
information.
Comment: One commenter suggested that the health records of
professional athletes should qualify as "employment records." As such,
the records would not be subject to the protections of the Privacy
Rule.

Response: Professional sports teams are unlikely to be covered
entities. Even if a sports team were to be a covered entity,
employment records of a covered entity are not covered by this Rule.
If this comment is suggesting that the records of professional
athletes should be deemed "employment records" even when created or
maintained by health care providers and health plans, the Department
disagrees. No class of individuals should be singled out for reduced
privacy protections. As noted in the preamble to the December 2000
Rule, nothing in this Rule prevents an employer, such as a
professional sports team, from making an employee's agreement to
disclose health records a condition of employment. A covered entity,
therefore, could disclose this information to an employer pursuant to
an authorization.
HHS Description from Original Rulemaking
Definitions - Protected Health Information

We proposed to define “protected health information” to mean
individually identifiable health information that is or has been
electronically maintained or electronically transmitted by a covered
entity, as well as such information when it takes any other form. For
purposes of this definition, we proposed to define “electronically
transmitted” as including information exchanged with a computer using
electronic media, such as the movement of information from one
location to another by magnetic or optical media, transmissions over
the Internet, Extranet, leased lines, dial-up lines, private networks,
telephone voice response, and “faxback” systems. We proposed that this
definition not include “paper-to-paper” faxes, or person-to-person
telephone calls, video teleconferencing, or messages left on
voice-mail.
Further, “electronically maintained” was proposed to mean information
stored by a computer or on any electronic medium from which the
information may be retrieved by a computer, such as electronic memory
chips, magnetic tape, magnetic disk, or compact disc optical media.

The proposal's definition explicitly excluded:
(1) individually identifiable health information that is part of an
“education record” governed by the Family Educational Rights and
Privacy Act (FERPA), 20 U.S.C. 1232g.

(2) individually identifiable health information of inmates of
correctional facilities and detainees in detention facilities.
In this final rule we expand the definition of protected health
information to encompasses all individually identifiable health
information transmitted or maintained by a covered entity, regardless
of form. Specifically, we delete the conditions for individually
identifiable health information to be “electronically maintained” or
“electronically transmitted” and the corresponding definitions of
those terms. Instead, the final rule defines protected health
information to be individually identifiable health information that
is:

(1) transmitted by electronic media;
(2) maintained in any medium described in the definition of electronic
media at § 162.103 of this subchapter; or

(3) transmitted or maintained in any other form or medium.
We refer to electronic media, as defined in § 162.103, which means the
mode of electronic transmission. It includes the Internet (wide-open),
Extranet (using Internet technology to link a business with
information only accessible to collaborating parties), leased lines,
dial-up lines, private networks, and those transmissions that are
physically moved from one location to another using magnetic tape,
disk, or compact disk media.

The definition of protected health information is set out in this form
to emphasize the severability of this provision. As discussed below,
we believe we have ample legal authority to cover all individually
identifiable health information transmitted or maintained by covered
entities. We have structured the definition this way so that, if a
court were to disagree with our view of our authority in this area,
the rule would still be operational, albeit with respect to a more
limited universe of information.
Other provisions of the rules below may also be severable, depending
on their scope and operation. For example, if the rule itself provides
a fallback, as it does with respect to the various discretionary uses
and disclosures permitted under § 164.512, the provisions would be
severable under case law.

The definition in the final rule retains the exception relating to
individually identifiable health information in “education records”
governed by FERPA. We also exclude the records described in 20 U.S.C.
1232g(a)(4)(B)(iv). These are records of students held by
post-secondary educational institutions or of students 18 years of age
or older, used exclusively for health care treatment and which have
not been disclosed to anyone other than a health care provider at the
student's request. (See discussion of FERPA above.)
We have removed the exception for individually identifiable health
information of inmates of correctional facilities and detainees in
detention facilities. Individually identifiable health information
about inmates is protected health information under the final rule,
and special rules for use and disclosure of the protected health
information about inmates and their ability to exercise the rights
granted in this rule are described below.

HHS Response to Comments Received from Original Rulemaking
Definitions - Protected Health Information
Comment: An overwhelmingly large number of commenters urged the
Secretary to expand privacy protection to all individually
identifiable health information, regardless of form, held or
transmitted by a covered entity. Commenters provided many arguments in
support of their position. They asserted that expanding the scope of
covered information under the rule would increase patient confidence
in their health care providers and the health care system in general.
Commenters stated that patients may not seek care or honestly discuss
their health conditions with providers if they do not believe that all
of their health information is confidential. In particular, many
suggested that this fear would be particularly strong with certain
classes of patients, such as persons with disabilities, who may be
concerned about potential discrimination, embarrassment or
stigmatization, or domestic violence victims, who may hide the real
cause of their injuries.

In addition, commenters felt that a more uniform standard that covered
all records would reduce the complexity, burden, cost, and enforcement
problems that would result from the NPRM's proposal to treat
electronic and non-electronic records differently. Specifically, they
suggested that such a standard would eliminate any confusion regarding
how to treat mixed records (paper records that include information
that has been stored or transmitted electronically) and would
eliminate the need for health care providers to keep track of which
portions of a paper record have been (or will be) stored or
transmitted electronically, and which are not. Many of these
commenters argued that limiting the definition to information that is
or has at one time been electronic would result in different
protections for electronic and paper records, which they believe would
be unwarranted and give consumers a false sense of security. Other
comments argued that the proposed definition would cause confusion for
providers and patients and would likely cause difficulties in claims
processing. Many others complained about the difficulty of determining
whether information has been maintained or transmitted electronically.
Some asked us to explicitly list the electronic functions that are
intended to be excluded, such as voice mail, fax, etc. It was also
recommended that the definitions of 'electronic transmission' and
'electronic maintenance' be deleted. It was stated that the rule may
apply to many medical devices that are regulated by the FDA. A
commenter also asserted that the proposal's definition was technically
flawed in that computers are also involved in analog electronic
transmissions such as faxes, telephone, etc., which is not the intent
of the language. Many commenters argued that limiting the definition
to information that has been electronic would create a significant
administrative burden, because covered entities would have to figure
out how to apply the rule to some but not all information.
Others argued that covering all individually identifiable health
information would eliminate any disincentives for covered entities to
convert from paper to computerized record systems. These commenters
asserted that under the proposed limited coverage, contrary to the
intent of HIPAA's administrative simplification standards, providers
would avoid converting paper records into computerized systems in
order to bypass the provisions of the regulation. They argued that
treating all records the same is consistent with the goal of
increasing the efficiency of the administration of health care
services.

Lastly, in the NPRM, we explained that while we chose not to extend
our regulatory coverage to all records, we did have the authority to
do so. Several commenters agreed with our interpretation of the
statute and our authority and reiterated such statements in arguing
that we should expand the scope of the rule in this regard.
Response: We find these commenters' arguments persuasive and extend
protections to individually identifiable health information
transmitted or maintained by a covered entity in any form (subject to
the exception for “education records” governed by FERPA and records
described at 20 U.S.C. 1232g(a)(4)(B)(iv)). We do so for the reasons
described by the commenters and in our NPRM, as well as because we
believe that the approach in the final rule creates a logical,
consistent system of protections that recognizes the dynamic nature of
health information use and disclosure in a continually shifting health
care environment. Rules that are specific to certain formats or media,
such as “electronic” or “paper,” cannot address the privacy threats
resulting from evolving forms of data capture and transmission or from
the transfer of the information from one form to another. This
approach avoids the somewhat artificial boundary issues that stem from
defining what is and is not electronic.

In addition, we have reevaluated our reasons for not extending privacy
protections to all paper records in the NPRM and after review of
comments believe such justifications to be less compelling than we
originally thought. For example, in the NPRM, we explained that we
chose not to cover all paper records in order to focus on the public
concerns about health information confidentiality in electronic
communications, and out of concern that the potential additional
burden of covering all records may not be justified because of the
lower privacy risks presented by records that are in paper form only.
As discussed above however, a great many commenters asserted that
dealing with a mixture of protected and non-protected records is more
burdensome, and that public concerns over health information
confidentiality are not at all limited to electronic communications.
We note that medical devices in and of themselves, for example,
pacemakers, are not protected health information for purposes of this
regulation. However, information in or from the device may be
protected health information to the extent that it otherwise meets the
definition.

Comment: Numerous commenters argued that the proposed coverage of any
information other than that which is transmitted electronically and/or
in a HIPAA transaction exceeds the Secretary's authority under section
264(c)(1) of HIPAA. The principal argument was that the initial
language in section 264(c)(1) (“If language governing standards with
respect to the privacy of individually identifiable health information
transmitted in connection with the transactions described in section
1173(a) of the Social Security Act ... is not enacted by August 21,
1999, the Secretary ... shall promulgate final regulations containing
such standards...”) limits the privacy standards to “information
transmitted in connection with the HIPAA transactions.” The precise
argument made by some commenters was that the grant of authority is
contained in the words “such standards,” and that the referent of that
phrase was “standards with respect to the privacy of individually
identifiable health information transmitted in connection with the
transactions described in section 1173(a)...”.
Commenters also argued that this limitation on the Secretary's
authority is discernible from the statutory purpose statement at
section 261 of HIPAA, from the title to section 1173(a) (“Standards to
Enable Electronic Exchange”), and from various statements in the
legislative history, such as the statement in the Conference Report
that the “Secretary would be required to establish standards and
modifications to such standards regarding the privacy of individually
identifiable health information that is in the health information
network.” H. Rep. No. 104-736,104th Cong., 2d Sess., at 265. It was
also argued that extension of coverage beyond the HIPAA transactions
would be inconsistent with the underlying statutory trade-off between
facilitating accessibility of information in the electronic
transactions for which standards are adopted under section 1173(a) and
protecting that information through the privacy standards.

Other commenters argued more generally that the Secretary's authority
was limited to information in electronic form only, not information in
any other form. These comments tended to focus on the statutory
concern with regulating transactions in electronic form and argued
that there was no need to have the privacy standards apply to
information in paper form, because there is significantly less risk of
breach of privacy with respect to such information.
The primary justifications provided by commenters for restricting the
scope of covered individually identifiable health information under
the regulation were that such an approach would reduce the complexity,
burden, cost, and enforcement problems that would result from a rule
that treats electronic and non-electronic records differently; would
appropriately limit the rule's focus to the security risks that are
inherent in electronic transmission or maintenance of individually
identifiable health information; and would conform these provisions of
the rule more closely with their interpretation of the HIPAA statutory
language.

Response: We disagree with these commenters. We believe that
restricting the scope of covered information under the rule consistent
with any of the comments described above would generate a number of
policy concerns. Any restriction in the application of privacy
protections based on the media used to maintain or transmit the
information is by definition arbitrary, unrelated to the potential use
or disclosure of the information itself and therefore not responsive
to actual privacy risks. For example, information contained in a paper
record may be scanned and transmitted worldwide almost as easily as
the same information contained in an electronic claims transaction,
but would potentially not be protected.
In addition, application of the rule to only the standard transactions
would leave large gaps in the amount of health information covered.
This limitation would be particularly harmful for information used and
disclosed by health care providers, who are likely to maintain a great
deal of information never contained in a transaction.

We disagree with the arguments that the Secretary lacks legal
authority to cover all individually identifiable health information
transmitted or maintained by covered entities. The arguments raised by
these comments have two component parts: (1) that the Secretary's
authority is limited by form, to individually identifiable health
information in electronic form only; and (2) that the Secretary's
authority is limited by content, to individually identifiable health
information that is contained in what commenters generally termed the
“HIPAA transactions,” i.e., information contained in a transaction for
which a standard has been adopted under section 1173(a) of the Act.
With respect to the issue of form, the statutory definition of “health
information” at section 1171(4) of the Act defines such information as
“any information, whether oral or recorded in any form or medium”
(emphasis added) which is created or received by certain entities and
relates to the health condition of an individual or the provision of
health care to an individual (emphasis added). “Individually
identifiable health information”, as defined at section 1171(6) of the
Act, is information that is created or received by a subset of the
entities listed in the definition of “health information”, relates to
the same subjects as “health information,” and is, in addition,
individually identifiable. Thus, “individually identifiable health
information” is, as the term itself implies, a subset of “health
information.” As “health information,” “individually identifiable
health information” means, among other things, information that is
“oral or recorded in any form or medium.” Therefore, the statute does
not limit “individually identifiable health information” to
information that is in electronic form only.

With respect to the issue of content, the limitation of the
Secretary's authority to information in HIPAA transactions under
section 264(c)(1) is more apparent than real. While the first sentence
of section 264(c)(1) may be read as limiting the regulations to
standards with respect to the privacy of individually identifiable
health information “transmitted in connection with the HIPAA
transactions,” what that sentence in fact states is that the privacy
regulations must “contain” such standards, not be limited to such
standards. The first sentence thus sets a statutory minimum, first for
Congress, then for the Secretary. The second sentence of section
264(c)(1) directs that the regulations “address at least the subjects
in subsection (b) of section 264.” Section 264(b), in turn, refers
only to “individually identifiable health information”, with no
qualifying language, and refers back to subsection (a) of section 264,
which is not limited to HIPAA transactions. Thus, the first and second
sentences of section 264(c)(1) can be read as consistent with each
other, in which case they direct the issuance of privacy standards
with respect to individually identifiable health information.
Alternatively, they can be read as ambiguous, in which case one must
turn to the legislative history.
The legislative history of section 264 does not reflect the content
limitation of the first sentence of section 264(c)(1). Rather, the
Conference Report summarizes this section as follows: “If Congress
fails to enact privacy legislation, the Secretary is required to
develop standards with respect to privacy of individually identifiable
health information not later than 42 months from the date of
enactment.” Id., at 270. This language indicates that the overriding
purpose of section 264(c)(1) was to postpone the Secretary's duty to
issue privacy standards (which otherwise would have been controlled by
the time limits at section 1174(a)), in order to give Congress more
time to pass privacy legislation. A corollary inference, which is also
supported by other textual evidence in section 264 and Part C of title
XI, is that if Congress failed to act within the time provided, the
original statutory scheme was to kick in. Under that scheme, which is
set out in section 1173(e) of the House bill, the standards to be
adopted were “standards with respect to the privacy of individually
identifiable health information.” Thus, the legislative history of
section 264 supports the statutory interpretation underlying the rules
below.

Comment: Many commenters were opposed to the rule covering specific
forms of communication or records that could potentially be considered
covered information, i.e., faxes, voice mail messages, etc. A subset
of these commenters took issue particularly with the inclusion of oral
communications within the scope of covered information. The commenters
argued that covering information when it takes oral form (e.g., verbal
discussions of a submitted claim) makes the regulation extremely
costly and burdensome, and even impossible to administer. Another
commenter also offered that it would make it nearly impossible to
discuss health information over the phone, as the covered entity
cannot verify that the person on the other end is in fact who he or
she claims to be.
Response: We disagree. Covering oral communications is an important
part of keeping individually identifiable health information private.
If the final rule were not to cover oral communication, a conversation
about a person's protected health information could be shared with
anyone. Therefore, the same protections afforded to paper and
electronically based information must apply to verbal communication as
well. Moreover, the Congress explicitly included “oral” information in
the statutory definition of health information.

Comment: A few commenters supported, without any change, the approach
proposed in the NPRM to limit the scope of covered information to
individually identifiable health information in any form once the
information is transmitted or maintained electronically. These
commenters asserted that our statutory authority limited us
accordingly. Therefore, they believed we had proposed protections to
the extent possible within the bounds of our statutory authority and
could not expand the scope of such protections without new legislative
authority.
Response: We disagree with these commenters regarding the limitations
under our statutory authority. As explained above, we have the
authority to extend the scope of the regulation as we have done in the
final rule. We also note here that most of these commenters who
supported the NPRM's proposed approach, voiced strong support for
extending the scope of coverage to all individually identifiable
health information in any form, but concluded that we had done what we
could within the authority provided.

Comment: One commenter argued that the term “transaction” is generally
understood to denote a business matter, and that the NPRM applied the
term too broadly by including hospital directory information,
communication with a patient's family, researchers' use of data and
many other non-business activities.
Response: This comment reflects a misunderstanding of our use of the
term “transaction.” The uses and disclosures described in the comment
are not “transactions” as defined in § 160.103. The authority to
regulate the types of uses and disclosures described is provided under
section 264 of Pub. L. 104-191. The conduct of the activities noted by
the commenters are not related to the determination of whether a
health care provider is a covered entity. We explain in the preamble
that a health care provider is a covered entity if it transmits health
information in electronic form in connection with transactions
referred to in section 1173(a)(1) of the Act.

Comment: A few commenters asserted that the Secretary has no authority
to regulate “use” of protected health information. They stated that
although section 264(b) mentions that the Secretary should address
“uses and disclosures,” no other section of HIPAA employs the term
“use.”
Response: We disagree with these commenters. As they themselves note,
the authority to regulate use is given in section 264(b) and is
sufficient.

Comment: Some commenters requested clarification as to how certain
types of health information, such as photographs, faxes, X-Rays,
CT-scans, and others would be classified as protected or not under the
rule.
Response: All types of individually identifiable health information in
any form, including those described, when maintained or transmitted by
a covered entity are covered in the final rule.

Comment: A few commenters requested clarification with regard to the
differences between the definitions of individually identifiable
health information and protected health information.
Response: In expanding the scope of covered information in the final
rule, we have simplified the distinction between the two definitions.
In the final rule, protected health information is the subset of
individually identifiable health information that is maintained or
transmitted by covered entity, and thereby protected by this rule. For
additional discussion of protected health information and individually
identifiable health information, see the descriptive summary of §
164.501.

Comment: A few commenters remarked that the federal government has no
right to access or control any medical records and that HHS must get
consent in order to store or use any individually identifiable health
information.
Response: We understand the commenters' concern. It is not our intent,
nor do we through this rule create any government right of access to
medical records, except as needed to investigate possible violations
of the rule. Some government programs, such as Medicare, are
authorized under other law to gain access to certain beneficiary
records for administrative purposes. However, these programs are
covered by the rule and its privacy protections apply.

Comment: Some commenters asked us to clarify how schools would be
treated by the rule. Some of these commenters worried that privacy
would be compromised if schools were exempted from the provisions of
the final rule. Other commenters thought that school medical records
were included in the provisions of the NPRM.
Response: We agree with the request for clarification and provide
guidance regarding the treatment of medical records in schools in the
"Relationship to Other Federal Laws" preamble discussion of FERPA,
which governs the privacy of education records.

Comment: One commenter was concerned that only some information from a
medical chart would be included as covered information. The commenter
was especially concerned that transcribed material might not be
considered covered information.
Response: As stated above, all individually identifiable health
information in any form, including transcribed or oral information,
maintained or transmitted by a covered entity is covered under the
provisions of the final rule.

Comment: In response to our solicitation of comments on the scope of
the definition of protected health information, many commenters asked
us to narrow the scope of the proposed definition to include only
information in electronic form. Others asked us to include only
information from the HIPAA standard transactions.
Response: For the reasons stated by the commenters who asked us to
expand the proposed definition, we reject these comments. We reject
these approaches for additional reasons, as well. Limiting the
protections to electronic information would, in essence, protect
information only as long as it remained in a computer or other
electronic media; the protections in the rule could be avoided simply
by printing out the information. This approach would thus result in
the illusion, but not the reality, of privacy protections. Limiting
protection to information in HIPAA transactions has many of the
problems in the proposed approach: it would fail to protect
significant amounts of health information, would force covered
entities to figure out which information had and had not been in such
a transaction, and could cause the administrative burdens the
commenters feared would result from protecting some but not all
information.

Comment: A few commenters asserted that the definition of protected
health information should explicitly include “genetic” information. It
was argued that improper disclosure and use of such information could
have a profound impact on individuals and families.
Response: We agree that the definition of protected health information
includes genetic information that otherwise meets the statutory
definition. But we believe that singling out specific types of
protected health information for special mention in the regulation
text could wrongly imply that other types are not included.

Comment: One commenter recommended that the definition of protected
health information be modified to clarify that an entity does not
become a 'covered entity' by providing a device to an individual on
which protected health information may be stored, provided that the
company itself does not store the individual's health information.”
Response: We agree with the commenter's analysis, but believe the
definition is sufficiently clear without a specific amendment to this
effect.

Comment: One commenter recommended that the definition be amended to
explicitly exclude individually identifiable health information
maintained, used, or disclosed pursuant to the Fair Credit Reporting
Act, as amended, 15 U.S.C. 1681. It was stated that a disclosure of
payment history to a consumer reporting agency by a covered entity
should not be considered protected health information. Another
commenter recommended that health information, billing information,
and a consumer's credit history be exempted from the definition
because this flow of information is regulated by both the Fair Credit
Reporting Act (FCRA) and the Fair Debt Collection Practices Act
(FDCPA).
Response: We disagree. To the extent that such information meets the
definition of protected health information, it is covered by this
rule. These statutes are designed to protect financial, not health,
information. Further, these statutes primarily regulate entities that
are not covered by this rule, minimizing the potential for overlap or
conflict. The protections in this rule are more appropriate for
protecting health information. However, we add provisions to the
definition of payment which should address these concerns. See the
definition of 'payment' in § 164.501.

Comment: An insurance company recommended that the rule require that
medical records containing protected health information include a
notation on a cover sheet on such records.
Response: Since we have expanded the scope of protected health
information, there is no need for covered entities to distinguish
among their records, and such a notation is not needed. This uniform
coverage eliminates the mixed record problem and resultant potential
for confusion.

Comment: A government agency requested clarification of the definition
to address the status of information that flows through dictation
services.
Response: A covered entity may disclose protected health information
for transcription of dictation under the definition of health care
operations, which allows disclosure for “general administrative”
functions. We view transcription and clerical services generally as
part of a covered entity's general administrative functions. An entity
transcribing dictation on behalf of a covered entity meets this rule's
definition of business associate and may receive protected health
information under a business associate contract with the covered
entity and subject to the other requirements of the rule.

Comment: A commenter recommended that information transmitted for
employee drug testing be exempted from the definition.
Response: We disagree that is necessary to specifically exclude such
information from the definition of protected health information. If a
covered entity is involved, triggering this rule, the employer may
obtain authorization from the individuals to be tested. Nothing in
this rule prohibits an employer from requiring an employee to provide
such an authorization as a condition of employment.

Comment: A few commenters addressed our proposal to exclude
individually identifiable health information in education records
covered by FERPA. Some expressed support for the exclusion. One
commenter recommended adding another exclusion to the definition for
the treatment records of students who attend institutions of post
secondary education or who are 18 years old or older to avoid
confusion with rules under FERPA. Another commenter suggested that the
definition exclude health information of participants in “Job Corps
programs” as it has for educational records and inmates of
correctional facilities.
Response: We agree with the commenter on the potential for confusion
regarding records of students who attend post-secondary schools or who
are over 18, and therefore in the final rule we exclude records
defined at 20 U.S.C. 1232g(a)(4)(B)(iv) from the definition of
protected health information. For a detailed discussion of this
change, refer to the “Relationship to Other Federal Laws” section of
the preamble. We find no similar reason to exclude “Job Corps
programs” from the requirements of this regulation.

Comment: Some commenters voiced support for the exclusion of the
records of inmates from the definition of protected health
information, maintaining that correctional agencies have a legitimate
need to share some health information internally without authorization
between health service units in various facilities and for purposes of
custody and security. Other commenters suggested that the proposed
exclusion be extended to individually identifiable health information:
created by covered entities providing services to inmates or detainees
under contract to such facilities; of “former” inmates; and of persons
who are in the custody of law enforcement officials, such as the
United States Marshals Service and local police agencies. They stated
that corrections and detention facilities must be able to share
information with law enforcement agencies such as the United States
Marshals Service, the Immigration and Naturalization Services, county
jails, and U.S. Probation Offices.
Another commenter said that there is a need to have access to records
of individuals in community custody and explained that these
individuals are still under the control of the state or local
government and the need for immediate access to records for
inspections and/or drug testing is necessary.

A number of commenters were opposed to the proposed exclusion to the
definition of protected health information, arguing that the proposal
was too sweeping. Commenters stated that while access without consent
is acceptable for some purposes, it is not acceptable in all
circumstances. Some of these commenters concurred with the sharing of
health care information with other medical facilities when the inmate
is transferred for treatment. These commenters recommended that we
delete the exception for jails and prisons and substitute specific
language about what information could be disclosed and the limited
circumstances or purposes for which such disclosures could occur.
Others recommended omission of the proposed exclusion entirely,
arguing that excluding this information from protection sends the
message that, with respect to this population, abuses do not matter.
Commenters argued that inmates and detainees have a right to privacy
of medical records and that individually identifiable health
information obtained in these settings can be misused, e.g., when
communicated indiscriminately, health information can trigger assaults
on individuals with stigmatized conditions by fellow inmates or
detainees. It can also lead to the denial of privileges, or
inappropriately influence the deliberations of bodies such as parole
boards.

A number of commenters explicitly took issue with the exclusion
relative to individuals, and in particular youths, with serious mental
illness, seizure disorders, and emotional or substance abuse
disorders. They argued that these individuals come in contact with
criminal justice authorities as a result of behaviors stemming
directly from their illness and assert that these provisions will
cause serious problems. They argue that disclosing the fact that an
individual was treated for mental illness while incarcerated could
seriously impair the individual's reintegration into the community.
Commenters stated that such disclosures could put the individual or
family members at risk of discrimination by employers and in the
community at large.
Some commenters asserted that the rule should be amended to prohibit
jails and prisons from disclosing private medical information of
individuals who have been discharged from these facilities. They
argued that such disclosures may seriously impair individuals'
rehabilitation into society and subject them to discrimination as they
attempt to re-establish acceptance in the community.

Response: We find commenters' arguments against a blanket exemption
from privacy protection for inmates persuasive. We agree health
information in these settings may be misused, which consequently poses
many risks to the inmate or detainee and in some cases, their families
as described above by the commenters. Accordingly, we delete this
exception from the definition of “protected health information” in the
final rule. The final rule considers individually identifiable health
information of individuals who are prisoners and detainees to be
protected health information to the extent that it meets the
definition and is maintained or transmitted by a covered entity.
At the same time, we agree with those commenters who explained that
correctional facilities have legitimate needs for use and sharing of
individually identifiable health information inmates without
authorization. Therefore, we add a new provision (§ 164.512(k)(5))
that permits a covered entity to disclose protected health information
about inmates without individual consent, authorization, or agreement
to correctional institutions for specified health care and other
custodial purposes. For example, covered entities are permitted to
disclose for the purposes of providing health care to the individual
who is the inmate, or for the health and safety of other inmates or
officials and employees of the facility. In addition, a covered entity
may disclose protected health information as necessary for the
administration and maintenance of the safety, security, and good order
of the institution. See the preamble discussion of the specific
requirements at § 164.512(k)(5), as well as discussion of certain
limitations on the rights of individuals who are inmates with regard
to their protected health information at §§ 164.506, 164.520, 164.524,
and 164.528.

We also provide the following clarifications. Covered entities that
provide services to inmates under contract to correctional
institutions must treat protected health information about inmates in
accordance with this rule and are permitted to use and disclose such
information to correctional institutions as allowed under §
164.512(k)(5).
As to former inmates, the final rule considers such persons who are
released on parole, probation, supervised release, or are otherwise no
longer in custody, to be individuals who are not inmates. Therefore,
the permissible disclosure provision at § 164.512(k)(5) does not apply
in such cases. Instead, a covered entity must apply privacy
protections to the protected health information about former inmates
in the same manner and to the same extent that it protects the
protected health information of other individuals. In addition,
individuals who are former inmates hold the same rights as all other
individuals under the rule.

As to individuals in community custody, the final rule considers
inmates to be those individuals who are incarcerated in or otherwise
confined to a correctional institution. Thus, to the extent that
community custody confines an individual to a particular facility, §
164.512(k)(5) is applicable.
Subscribe to
HIPAA E-Alerts

Sign up to receive HIPAA Privacy & Security E-Alerts
Subscribe to HIPAA E-Alerts
Archived HIPAA E-Alerts

Highlights
 
 Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health
 Care Providers and Health Plans -- A guide for complying with the new
 2009 HIPAA requirements in the Recovery Act and updated to include the
 new breach notification regulations.

Copyright 2005-2010, Bricker & Eckler LLP, all rights reserved. 
Please read our Privacy Notice.
The words Bricker & Eckler and its logo are registered trademarks of
Bricker & Eckler LLP. DISCLAIMER
Realtime website analytics
after look stephen j. hemsley president of united health care contact information look the having at out definition of protected health information or
how into and each an they
disadvantages of misusing others personal health information munchies visit - that see no he he yours itself could
definition of protected health information them against were he how then yourselves own other themselves then up why should
in between below definition of protected health information such all definition of protected health information munchies here definition of protected health information
between definition of protected health information can them why
these they all look than could into until
disadvantages of misusing others personal health information had what too should few could
look no could they further such no their can doing your with we definition of protected health information
the myself both of into but Like, her should be no each here myself
is been for her and once before should no
ours while ours stephen j. hemsley president of united health care contact information and we it had
below than through hers had about here out those again
but off surely should be under Right on! theirs my his for until
under or know other can disadvantages of misusing others personal health information on down we doing
myself were do definition of protected health information him disadvantages of misusing others personal health information do her surely so their to he were which only it