Re: Standards for Privacy of Individually Identifiable Health Information; 45 C.F.R., Parts 160 and 164

U.S. Department of Health and Human Services
Attention: Privacy I
Hubert H. Humphrey Building
Room 801
200 Independence Avenue, SW
Washington, DC 20201

Re:     Standards for Privacy of Individually Identifiable Health Information; 45 C.F.R., Parts 160 and 164

Dear Sir or Madam:

The Food Marketing Institute (FMI) respectfully submits the following comments in response to the Department of Health and Human Services (HHS) notice requesting comments on the Department’s final regulations implementing standards for the privacy of individually identifiable health information under the Health Insurance Portability and Accountability Act (HIPAA). 66 Fed. Reg. 12738 (Feb. 28, 2001); 65 Fed. Reg. 82462 (Dec. 28, 2000).

For your information, FMI is a non-profit association that conducts programs in research, education, industry relations and public affairs on behalf of its 1,500 members and their subsidiaries. Our membership includes food retailers and wholesalers, as well as their customers, in the United States and around the world. FMI’s domestic member companies operate approximately 21,000 retail food stores with combined annual sales volume of $300 billion, which represents three-quarters of all grocery store sales in the United States.   

FMI’s retail members also operate over 8,000 in-store pharmacy departments. We estimate that supermarket pharmacies account for nearly 14 percent of all outpatient prescription drugs dispensed in the United States. Based on current industry trends toward larger store formats and the convenience of one-stop shopping, we anticipate that the number of pharmacies located in supermarkets will continue to increase in the coming years as will the number of prescriptions that are dispensed on an outpatient basis from these community settings.

FMI has a strong commitment to privacy issues and, in this regard, developed a policy statement regarding the use of consumer data, including pharmacy information. A copy of our statement is enclosed for your reference. As the statement unequivocally states, FMI and its members support the consumer’s right to privacy.

In this regard, we support many of the goals and purposes of the medical privacy regulations. Indeed, in several respects, the final rules represent an improvement over the program that the Department initially proposed. Nonetheless, FMI appreciates the opportunity to provide additional comments to the Department on the final medical privacy regulations that were issued by the Clinton Administration. The Department’s decision to solicit further comments recognizes the complexity of the privacy initiative and the many implementation and compliance challenges that the regulations will present to our industry as employers and providers of health care products and services.

Although our comments are discussed in full below, we would like to call your attention to the following issues that are of particular importance. First, the final rules require covered entities to obtain an individual’s written consent before any treatment, payment, or health care operations can be undertaken on the patient’s behalf. This aspect of the regulation was particularly surprising given the strong arguments the Department made in the proposal for making “the exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care.” For all of the reasons set forth in the Department’s own preamble to the proposed rule, prior written consent is unnecessary and unworkable.

Second, the final rules greatly expand the scope of protected health information that is subject to the regulatory requirements. The provisions of HIPAA that require the Department to issue medical privacy regulations only grant HHS the authority to do so for records that are maintained or transmitted in electronic media; the Department’s authority under HIPAA does not extend to information transmitted or maintained in other media, however, the final rules include all records, regardless of the medium in which they were transmitted or maintained. Therefore, we recommend that HHS amend the definition accordingly.

Third, HIPAA requires complicated analyses regarding the relationship between the federal regulations and state laws. That is, to the extent that a provision of a contrary state law is more stringent than the federal standards, the state law will prevail. As the author of the federal standards, the Department has the expertise and, therefore, is in the best position to analyze state privacy laws and their relationship to the federal standards. Accordingly, HHS should provide guidance in this area.

Finally, we recommend that the Department coordinate the compliance dates for the medical privacy regulations with the compliance dates for the companion rule on security standards for health information, which we understand is near completion.

     A.     Part 160 – General Administrative Requirements      

1.     Subpart A: “General Provisions”
Section 160.103: “Definitions”

Section 160.103 sets forth key definitions for the medical privacy regulations. “Health plan” is defined as an individual or group plan that provides or pays the cost of medical care. The comments we filed last year expressed concern that the special employee discount or other membership incentives that some of our member employers offer their employees to allow them to obtain health care, including prescription drugs, at reduced prices might be encompassed within the definition of “health plan.” Given the administrative requirements that attach to “health plans” under the medical privacy rules, we were concerned that many smaller employers might discontinue offering these discounted benefits to their employees.

HHS addressed this concern in the preamble and specifically provided that special employee discount programs would not be considered “health plans,” provided that the membership incentive programs were not part of a group health plan. 66 Fed. Reg. at 82577. We appreciate the Department’s clarification in this regard.

2. Subpart B: “Preemption of State Laws” Sections 160.201-160.205

HIPAA includes express provisions regarding the relationship between the federal medical privacy standards and state law. Specifically, the statute provides that federal standards will “supersede any contrary provision of State law,” unless one of the enumerated statutory exceptions applies. 42 U.S.C. § 1320d-7; HIPAA § 262 (Social Security Act (SSA) § 1178(a)). For instance, a contrary State standard will not be preempted “if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than [those] imposed under the federal regulation.” Id. Additionally, State standards shall not be superseded if the Secretary determines that the State standard is necessary for one of several specific purposes enumerated in the statute, such as to prevent fraud and abuse. Id.

Subpart B of Part 160 reiterates the statutory preemption standards and sets forth a process for requesting exception determinations. However, the regulatory process does not apply to determinations of whether a State law related to the privacy of health information is more stringent than the federal standard. See 45 CFR § 160.204.

FMI strongly supports a national standard to protect the integrity and confidentiality of an individual’s medical information. FMI’s position has been expressed before Congress and in comments that were filed with HHS in response to the notice of proposed rulemaking. In our view, a uniform national standard is the only way to achieve practical protections for sensitive health information. Even though HIPAA provides some room for contrary state laws,¹ we strongly recommend that the Department engage in the following practical efforts to minimize the confusion that is likely to occur given the differences in federal and state laws on medical privacy.

Specifically, although HIPAA does not expressly require the Secretary to conduct determinations as to whether a “contrary” state law is more stringent than the federal standards, FMI urges the Department to accept this responsibility. Numerous privacy laws have already been adopted by the states and more medical privacy legislation is actively under consideration at the state level. Covered entities do not have the expertise to determine whether a given state standard is more or less stringent than the federal standards. Therefore, we firmly believe that the Department should provide guidance on the effect of each new state privacy initiative in relationship to the federal regulations. This important guidance would assist patients in understanding the protections that apply to their health information and would facilitate compliance by covered entities with the applicable federal regulations and/or state requirements. Such guidance should be posted on the HHS web site along with the preemption determinations that the Secretary must make under Section 160.203(a).
          

3.     Subpart C: “Compliance and Enforcement”
Section 160.306(a): Complaints to the Secretary

Regulations governing compliance with and enforcement of the medical privacy rules are provided in Part 160, subpart C. To determine compliance, the Secretary has granted HHS blanket authority to “conduct compliance reviews.” 45 CFR § 160.308. In addition, Section 160.306 allows “persons” who believe that a covered entity is not complying with the medical privacy rules to file a complaint with the Secretary. 45 CFR § 1603.06. The Secretary is authorized to investigate complaints filed under the regulation by reviewing “pertinent policies, procedures, or practices of the covered entity and of the circumstances regarding any alleged acts or omissions concerning compliance.” 45 CFR § 160.306(c). In this regard, Section 160.310 requires covered entities to grant HHS access to the covered entity’s “facilities, books, records, accounts, and other sources of information, including protected health information.” 45 CFR § 160.310(c)(1).

We have several concerns regarding the breadth of the authority the Department has given itself. First, Section 160.308, which authorizes the Secretary to conduct open-ended compliance reviews, is overly broad. Compliance reviews should be limited to situations where the Secretary has received a complaint or has reason to believe there is noncompliance with the regulations. If HHS determines that compliance reviews are needed on a more general basis, the Department should conduct notice and comment rulemaking to amend the rules and set forth specific procedures and standards for compliance reviews, such as scope, timing, etc.

Second, HHS has significantly expanded the scope of the complaint provisions in Section 160.306 by allowing any “person” to file complaints. Only “individuals” were allowed to file complaints under the proposed rule. See 66 Fed. Reg. at 82600. As the purpose of HIPAA is to protect individual rights to medical privacy, the final rule inappropriately broadens the scope of complaints. Only the individual who believes that his or her protected health information is inaccurate or that the covered entity improperly disclosed protected health information should have the right to file a complaint with the Secretary. We urge the Department to modify the final regulations accordingly.

      

B.     Part 164, Subpart E – Privacy of Individually Identifiable Health Information

   

1.     Section 164.501: “Definitions”
“Marketing” and “Treatment”

The medical privacy regulations set forth different disclosure and use requirements for activities that fall within the definition of “marketing” and those activities that are considered “treatment.” See 66 Fed. Reg. at 82493. Specifically, covered entities are required to obtain “authorizations” from individuals before marketing communications may be made, but, in most cases, must obtain the patient’s prior “consent” before treatment. Id. See, also, 45 CFR §§ 164.506, 164.508; 66 Fed. Reg. at 82509. Accordingly, the scope of these definitions is important.

Under the final regulations, “marketing” is defined as “a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.” 45 CFR § 164.501. Certain communications are excepted from the definition if they are made orally or if they are made in writing and the covered entity does not receive remuneration for making the communication. Id. For example, activities such as referrals, prescriptions, recommendations, and other communications that address how a product or service may relate to the individual’s health are excepted from the definition. 66 Fed. Reg. at 82493.

“Treatment,” on the other hand, is defined as “the provision, coordination, or management of health care and related services by one or more health care providers,” to an individual or patient.²   Id. The preamble explains that some “services, such as a refill reminder communication …, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity.” 66 Fed. Reg. 82498.

Although the foregoing sheds some light on the activities that fall within the meaning of “treatment,” we do not believe that the regulations should impose limitations in this area. Artificial distinctions between marketing and treatment based on whether a covered entity receives remuneration are wrong and would not be in the best interest of the patient. Thus, we urge HHS to drop “marketing” from its regulations, or at the very least, to further clarify that activities relating to dispensing prescription drugs – such as generic substitution, therapeutic interchange, rebates, variable co-payments, refill reminder programs, compliance monitoring, and disease state management – are not considered marketing.

            

2.     Section 164.501: “Definitions – Protected Health Information”

In relevant part, Section 164.501 defines “protected health information” as “individually identifiable health information . . . that is (i) transmitted by electronic media; (ii) maintained in any medium described in the definition of electronic media …; or (iii) transmitted or maintained in any other form or medium.” 45 CFR § 164.501 (emphasis added). As discussed more fully below, HIPAA authorizes the Department to regulate only health information that is transmitted or maintained by electronic media. Accordingly, since the final rule includes information “transmitted or maintained in any other form or medium,” the rule substantially and, in our view, impermissibly broadens the regulatory definition of “protected health information.”

Specifically, one of the key reasons that Congress enacted HIPAA was to address various opportunities and challenges presented by the health care industry’s increasing use of and reliance on electronic technology. Indeed, the express purpose of Subtitle F, which directs HHS to promulgate medical privacy regulations, is “…to improve … the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” 42 U.S.C. § 1320d, note; HIPAA § 261.

With respect to regulatory protections for privacy, HIPAA directs the Department to submit recommendations to Congress regarding the following: the privacy of certain health information (including the rights that an individual who is the subject of individually identifiable health information should have); the procedures that should be established for the exercise of such rights; and the uses and disclosures of such information that should be authorized or required. 42 U.S.C. § 1320d-2, note; HIPAA § 264(b).   If Congress fails to develop legislation “governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act . . ., the Secretary of Health and Human Services shall promulgate final regulations containing such standards.” Id. (emphasis added). Section 1173(a), which is subtitled “Standards to Enable Electronic Exchange,” requires the Secretary to “adopt standards for transactions, and data elements for such transactions to enable health information to be exchanged electronically.” 42 U.S.C. § 1320d-2 (emphasis added); HIPAA § 262(a) (emphasis added). The legislative history confirms that the purpose of the regulations was to ensure the privacy of certain health information that was transmitted in electronic form. H.R. Rep. No. 496, 104 Cong., 2d Sess. 99-101, reprinted in 1996 U.S. Code Cong. & Admin. News 1865, 1900-01; HR. Cong. Rep. No. 736, 104 Cong., 2d Sess. 265, reprinted in 1996 U.S. Code Cong. & Admin. News 1990, 2078.

As the foregoing demonstrates, HIPAA only authorizes HHS to regulate health information that is transmitted or maintained in electronic format; the Department’s authority under HIPAA does not extend to information transmitted or maintained in other media. Moreover, while we believe that health care providers should exercise sound professional judgment when sensitive medical information is communicated orally, the inclusion of oral communications under the definition of protected health information is inadvisable from a policy perspective. For example, the documentation and recordkeeping requirements would be exceedingly difficult to apply when protected health information is discussed orally. Any administrative requirements for oral health information would be excessively burdensome and costly for covered entities, including community pharmacists, not to mention exceedingly difficult to enforce. Therefore, we urge HHS to revisit the final regulation in this regard and to delete non-electronically transmitted information from the scope of protected health information.³

            

3.     Section 164.502(b): “Uses and Disclosures of Protected Health Information: General Rules – Minimum Necessary Standard” Section 164.514(d): “Other Requirements Relating to Uses and Disclosures of Protected Health Information – Minimum Necessary”

Sections 164.502(b) and 164.514(d) respectively set forth the standards for applying the “minimum necessary” requirement and the policies and procedures that covered entities must adopt to implement the “minimum necessary” standard. Specifically, Section 164.502(b)(1) requires covered entities to undertake reasonable efforts to limit the amount of protected health information that is used or disclosed to the minimum necessary to accomplish the intended purpose. However, the “minimum necessary” standard does not apply to certain situations enumerated in the regulation, including to disclosures to or requests by a health care provider for treatment. 45 CFR § 164.502(b)(2)(i).

Section 164.514(d) generally requires covered entities to institute policies and procedures to restrict use and disclosure of protected health information within and from covered entities. Specifically, with respect to minimum necessary use, covered entities are required to survey their workforces to determine the persons or classes of persons who need access to protected health information and then to determine which information they need. Reasonable efforts must then be made to ensure that such limits are observed. 45 CFR § 164.514(d)(2). Covered entities must further develop policies and criteria to limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. Id. at 164.514(d)(3).

FMI supports the new provision in the final rule that excludes disclosures to or requests by a health care provider for treatment under Section 164.502(b)(2)(i). The proposed regulation would have significantly impeded the ability of health care providers to provide quality health care to patients based on the availability and review of the individual’s medical records. Therefore, the amendment in the final rule is important for health care providers and individuals alike. Similarly, the “minimum necessary” standard should not apply to routine uses and disclosures of protected health information for health care operations and payment purposes. HHS should amend the regulations to exclude these activities from the “minimum necessary” standard as well.⁴   
            

4.     Section 164.502(e): “Uses and Disclosures of Protected Health Information – Disclosures to Business Associates”
Section 164.504(e): “Uses and Disclosures: Organizational Requirements – Business Associate”

As discussed more fully below, the medical privacy regulations impose requirements on covered entities to force the covered entities’ “business associates” to adhere to the medical privacy regulations even though the Department admits that HIPAA did not grant HHS authority of this breadth.

Specifically, Section 164.502(e) requires a covered entity to “obtain satisfactory assurance that the business associate will appropriately safeguard” protected health information before the covered entity may disclose such information to the business associate.⁵   Section 164.504 requires the contract or other arrangement that provides the assurance to include a laundry list of specific provisions. In particular, the contract must establish the permitted and required uses and disclosures of protected health information and further require that the business associate will: (1) not use or disclose information beyond those specified in the contract; (2) use appropriate safeguards to prevent unauthorized use or disclosure; (3) report any unauthorized use or disclosure to the covered entity; (4) ensure that any agents that receive the protected information will agree to the same restrictions; (5) make its internal practices, books and records relating to the use and disclosure of protected health information available to the Department; and (6) return or destroy all protected health information at the termination of the contract. 45 CFR § 164.504(e). The regulations further require the contract to specify that the covered entity will terminate the contract if the covered entity determines that the business associate violated a material term of the contract. Id. at § 164.504(e)(2)(iii).

Moreover, a covered entity will be deemed in violation of the regulations – and, therefore, subject to penalty – if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract, unless the covered entity took reasonable steps to cure the breach or end the violation. Id. at § 164.504(e)(1)(ii). If such steps were unsuccessful, a covered entity is required to terminate the contract or report the problem to the Secretary. Id.

Although the current “business associate” regulations are an improvement over the “business partner” provisions that were included in the proposed rule,⁶ the extension of the Department’s regulatory authority to encompass any businesses related to covered entities is beyond the Department’s authority under HIPAA. Specifically, HIPAA does not reference either “business associates” or “business partners,” and HHS readily admits in the preamble to the proposed rule that the Department lacks authority to regulate these entities. See, e.g., 64 Fed. Reg. at 59924.

HHS should not attempt to harness private sector relationships to accomplish regulatory objectives that are beyond the Agency’s statutory authority. The result will be poor public policy and fouled private business. Therefore, FMI once again urges HHS to delete the section on “business associates” and its attendant regulatory requirements from the regulations, especially the requirement that covered entities must enter into contracts with “business associates” who receive identifiable health information. In our view, the contract requirement would be costly, and would likely increase a covered entity’s exposure to litigation as these contracts may allow for a private right of action in state courts.
            

5.     Section 164.504: “Uses and Disclosures: Organizational Requirements”

The Department’s final regulations grant covered entities the flexibility to designate whether its subsidiaries are each separate covered entities or together comprise a single covered entity. FMI raised this issue in the comments filed with the Department on the proposal and strongly supports the flexibility that is provided in the final regulations.

In addition, we support the general approach outlined in the final rule with respect to organizations that are primarily involved in non-health care activities, but also provide some health care services or operate health plans, such as schools with on-site health clinics or employers that self-administer a sponsored health plan. 45 CFR § 164.504; 66 Fed. Reg. at 82502. To address so-called “hybrid entity” situations, HHS distinguishes between the health care components of the entity and the entity as a whole.

Under the regulations, a “hybrid entity” is defined as “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” 45 CFR § 164.504(a). “Health care components” are those parts of a covered entity that perform the activities that render the overall entity a health plan, health care provider, or health care clearinghouse that is subject to the medical privacy requirements. 45 CFR §§ 164.504(a), 164.501. Section 164.504 provides that the requirements of Part 164, Subpart C (with the obvious exception of Section 164.504 itself) apply only to the health care components of a hybrid entity. 45 CFR § 164.504(b). To ensure that the integrity of the system is maintained, HHS requires the covered hybrid entity to establish procedures, including “firewalls,” to safeguard the protected health information maintained by the health care component. Id. at § 164.504(c)(2).

To explain the construct, FDA said that, “it makes sense not to require the entire entity to comply with the requirements of the rules below, when most of its activities have little or nothing to do with the provision of health care; rather, as a practical matter, it makes sense for such an entity to focus its compliance efforts on the component that is actually performing the health care functions.” 66 Fed. Reg. at 82502. HHS further recommended that “a common sense evaluation” be used to determine whether or not the covered functions are also the primary functions of a hybrid entity. Id. We appreciate and support the Department’s approach to this situation.
               

6.     Section 164.506: “Consent for Uses or Disclosures To Carry Out Treatment, Payment or Health Care Operations”

Except in the limited circumstances further provided in the regulation, Section 164.506 requires covered health care providers to obtain an individual’s written consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. 45 CFR § 164.506(a). The written consent, which must be signed and dated by the individual, must be in plain language and must contain the elements listed in the regulation.⁷   Id. at 164.506(c). A covered health care provider may condition treatment on the individual’s consent to the provider’s use or disclosure of the information for the limited treatment, payment and health care operation purposes. Id. at § 164.506(b).

In this regard, the final regulations represent a significant departure from the proposed rules. The Department’s proposed regulations allowed for the use and disclosure of protected medical information to carry out treatment, payment or health care operations without the need for the individual’s specific authorization. See Proposed 45 CFR § 164.506. The rationale HHS provided for the proposed approach is convincing.

First, HHS found that consent given prior to treatment gave individuals little actual control over their health information. When an individual is required to sign a blanket authorization at the point of receiving care or enrolling for coverage, that consent is often not voluntary because the individual must sign the form as a condition of treatment or payment for treatment. In addition, when the authorization precedes creation of the record, the individual cannot predict all the information the record could contain and, therefore, cannot make an informed decision as to what would be released. 64 Fed. Reg. 59918, 60023 (Nov. 3, 1999).

Second, the Department stated their intention “to make the exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care.” Id. HHS found that a requirement for separate patient authorizations for each routine referral could impair care by delaying consultation and referral as well as payment. The Department stated that the approach outlined “would be the most realistic way to protect individual confidentiality in an increasingly data-driven, electronic and integrated health care system.” Id.

FMI strongly supports the authorization system provided for in the proposed rule as it related to treatment, payment and health care operations and believes the reasons HHS set forth in the preamble to the proposal are just as valid today. The preamble to the final rule offers little justification for the change.⁸   See 66 Fed. Reg. at 82510, 82648.

The final rule’s requirement that health care providers must obtain written consent prior to using or disclosing protected medical information is of great concern to FMI supermarket members who operate pharmacies. If left unchanged, the requirement will prevent pharmacists from initiating any of the functions relating to filling, dispensing, eligibility verification, insurance coverage, drug utilization review, counseling or other activities until written consent is given. The advantages to patients of having the physician phone in or electronically transmit a prescription to a pharmacy will be negated by the prior written consent requirement. As a result, it will take considerably longer for pharmacists to dispense medications; the resulting delay will unnecessarily inconvenience all patients. FMI believes that delays in dispensing prescriptions should be avoided as they will pose significant hardships to certain patient groups, especially the elderly, parents with sick children, individuals with disabilities and patients living in rural communities who must travel long distances to a pharmacy for their medications.

In addition, the final rule does not adequately address the problems that will be presented by the prior written consent requirement when a family member, neighbor or caregiver picks up a prescription for an elderly patient or an individual with a disability. According to industry estimates, nearly 50 percent of all prescriptions are picked up by someone other than the patient. In our view, the prior written consent requirement is inappropriate and unrealistic if the patient does not personally pick up his or her prescription at the community pharmacy.   Recognizing the very disruptive consequences that the prior written consent requirement will have on the efficient dispensing of prescription medications to patients and the likely increase in prescription prices that consumers will incur as a result of the higher operational costs incurred by the pharmacy, FMI strongly urges the Department to delete the prior written consent provision from the regulations.

Alternatively, if the Department refuses to delete the prior written consent requirement, FMI recommends that HHS at least adopt a more practical approach. For example, the regulations should be amended to allow pharmacists to obtain written consent at any point during the filling or dispensing of a prescription. Additionally, if a family member, neighbor or caregiver picks up a prescription for a patient, the rules should allow the consent form to be signed and returned to the pharmacy at the convenience of the patient or the person who picked up the prescription on behalf of the patient. Pharmacists should not be held liable if a family member, neighbor or caregiver fails to return the signed consent form.

The regulations should further clarify that the written consent requirement only applies to the first prescription that a new patient has filled at a pharmacy. Once the patient has given written consent, the consent should apply to all other prescriptions filled for the patient at the pharmacy. If the pharmacy is one of many pharmacies operated by a covered entity, HHS should deem the patient’s initial consent to be valid at each pharmacy operated by the covered entity. Finally, FMI urges the Department to clarify that written consent is not required for refills.
            

7.     Section 164.512(b), (l): “Uses and Disclosures for Which Consent, Authorization, or Opportunity To Agree or Object Is Not Required – Employment and Workers’ Compensation”

Section 164.512 sets forth the conditions under which covered entities may use or disclose protected health information without the consent, authorization or agreement of the individual. 45 CFR § 164.512. Two provisions of this section are of particular interest to FMI and its members: disclosures to employers and disclosures for workers’ compensation purposes. 45 CFR §§ 164.512(b)(1)(v), (l).

First, the regulations permit covered entities to disclose protected health information to employers about an individual who is a member of the employer’s workforce without any affirmative agreement by the individual, although the covered entity must post notices that such information may be made available to employers. Id. at 164.512(b)(1)(v). However, the exception as currently written only applies if all of the circumstances identified in the regulation are met, including that the employer requires the protected health information in order to comply with its obligations under the Occupational Safety and Health Act, the Mine Safety and Health Act, or similar state laws that require the recordation of illness or injury or require employers to conduct workplace medical surveillance.

The medical privacy regulations should be amended to permit disclosure without authorization of medical information to employers for use in employment determinations, as well. While the supermarket industry agrees that medical records should not be used to discriminate against an individual who is otherwise qualified and able to perform the essential functions of a job, there are numerous legitimate disclosures to employers that should be permitted without an individual’s authorization. For example, many employers require applicants to take a physical examination or a drug test as a condition of employment. Employee medical examinations, such as fitness-for-duty exams or drug tests, should not require an individual’s consent or authorization in order for the information to be disclosed to the employer. Similarly, an individual’s authorization should not be required for matters relating to reasonable accommodation, job restructuring, or validating a serious health condition, such as infectious and communicable diseases with respect to employment determinations under the Americans with Disabilities Act (ADA).⁹

Second, 164.512(l) allows covered entities to disclose protected health information without individual authorization to the extent that such disclosure is authorized by and necessary to comply with laws that provide for workers’ compensation or other similar programs that provide benefits for work-related injuries or illness without regard to fault. FMI supports the regulatory exclusion, but recommends that the Department amend the final rules to expand the exclusion to include employers. Specifically, the regulations should permit the disclosure of protected health information by covered entities to employers without the need for an individual’s authorization so that worker’s compensation claims can be settled in an efficient manner. State worker’s compensation laws obligate employers to make decisions with respect to matters such as re-employment and returning to work for injured or disabled associates. In order to meet these obligations, employers must have access to protected health information without an individual’s authorization.

In this regard, an employer needs access to the entire medical record in order to make the best decision as to re-employment, re-assignment or job restructuring for an associate. The preamble states that the “minimum necessary” standard applies to disclosures made under Section 164.512(l). 66 Fed. Reg. at 82542. Careless application of the “minimum necessary” standard will prevent employers from receiving the information necessary to discharge their obligations. Therefore, we urge HHS to revise Section 164.512 to permit disclosures to employers without individual authorization in the employment situations discussed above and either affirmatively state that disclosures relating to employment and worker’s compensation determinations are not subject to the “minimum necessary” standard or provide that, in the foregoing context, “minimum necessary” may reasonably require the disclosure of the entire medical record.
            

8.     Section 164.512(j): “Uses and Disclosures for Which Consent, Authorization, or Opportunity To Agree or Object Is Not Required – To Avert a Serious Threat to Health and Safety”

Section 164.512(j) allows covered entities to use or disclose protected health information without an individual’s authorization if the use or disclosure is made in good faith to a person or persons reasonably able to prevent a serious and imminent threat to personal or public safety. 45 CFR § 164.512(j). We interpret this provision as allowing the health care component of an employer that becomes aware that an employee poses a significant safety threat or risk to other workers or the general public to use or disclose necessary protected health information in a manner that is likely to prevent or lessen the threat. We strongly support this provision and urge that it be maintained in the regulations.
            

9.     Section 164.520: “Notice of Privacy Practices for Protected Health Information”

Section 164.520 gives individuals the right under most circumstances to “adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information.” 45 CFR § 164.520(a). A covered entity that maintains a web site that provides information about the covered entity’s customer services or benefits must prominently post its notice on and make the notice available electronically through the web site. Id. at 164.520(c)(3).

We believe that a supermarket corporation that operates in-store pharmacies but does not offer prescription drug products and services over the Internet should not have to post a notice requirement on its web site. Although this concern may be addressed by Section 164.504(b) – which states that the requirements of Part 164, Subpart E apply only to the health care component of a hybrid entity – it would be helpful if the regulations, or at least the preamble, addressed this issue directly.
            

10.     Section 164.522: “Right To Request Privacy Protection for Protected Health Information”

Section 164.522 requires covered entities to permit individuals to ask the covered entity to restrict uses or disclosures of protected health information. 45 CFR § 164.522. Covered entities may refuse to grant the requested restriction or may terminate a granted restriction prospectively. Id. at § 164.522(a). While FMI agrees that individuals should have the right to control the use and disclosure of their protected health information under most circumstances, we remain very concerned about the effect that the restriction of information – particularly in the areas of treatment and payment – will have on the delivery and quality of health care.

As discussed above, the final rules grant a new right to patients: although it is structured in the form of a requirement on health care providers, patients must grant their prior written consent before protected health information may be used for treatment, payment or health care operations. (See discussion above.) The right to grant (or refuse) consent was not provided for in the proposed rule and the final rule does not adequately consider the interaction of the prior written consent requirement and the right to request restricted use or disclosures of protected health information.

Before patients are allowed to enter into a relationship with a health care provider, patients are now required to decide whether to grant their consent for the use of their protected health information for payment, treatment and health care operations. If the patient decides to grant consent, the consent only covers those activities related to the patient’s immediate health care