§1320d–2. Standards for information transactions and data elements
(a) Standards to enable electronic exchange
(1) In general
The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for-
(A) the financial and administrative transactions described in paragraph (2); and
(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs, and subject to the requirements under paragraph (5).
(2) Transactions
The transactions referred to in paragraph (1)(A) are transactions with respect to the following:
(A) Health claims or equivalent encounter information.
(B) Health claims attachments.
(C) Enrollment and disenrollment in a health plan.
(D) Eligibility for a health plan.
(E) Health care payment and remittance advice.
(F) Health plan premium payments.
(G) First report of injury.
(H) Health claim status.
(I) Referral certification and authorization.
(J) Electronic funds transfers.
(3) Accommodation of specific providers
The standards adopted by the Secretary under paragraph (1) shall accommodate the needs of different types of health care providers.
(4) Requirements for financial and administrative transactions
(A) In general
The standards and associated operating rules adopted by the Secretary shall-
(i) to the extent feasible and appropriate, enable determination of an individual's eligibility and financial responsibility for specific services prior to or at the point of care;
(ii) be comprehensive, requiring minimal augmentation by paper or other communications;
(iii) provide for timely acknowledgment, response, and status reporting that supports a transparent claims and denial management process (including adjudication and appeals); and
(iv) describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions (except where necessary to implement State or Federal law, or to protect against fraud and abuse).
(B) Reduction of clerical burden
In adopting standards and operating rules for the transactions referred to under paragraph (1), the Secretary shall seek to reduce the number and complexity of forms (including paper and electronic forms) and data entry required by patients and providers.
(5) Consideration of standardization of activities and items
(A) In general
For purposes of carrying out paragraph (1)(B), the Secretary shall solicit, not later than January 1, 2012, and not less than every 3 years thereafter, input from entities described in subparagraph (B) on-
(i) whether there could be greater uniformity in financial and administrative activities and items, as determined appropriate by the Secretary; and
(ii) whether such activities should be considered financial and administrative transactions (as described in paragraph (1)(B)) for which the adoption of standards and operating rules would improve the operation of the health care system and reduce administrative costs.
(B) Solicitation of input
For purposes of subparagraph (A), the Secretary shall seek input from-
(i) the National Committee on Vital and Health Statistics, the Health Information Technology Policy Committee, and the Health Information Technology Standards Committee; and
(ii) standard setting organizations and stakeholders, as determined appropriate by the Secretary.
(b) Unique health identifiers
(1) In general
The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers.
(2) Use of identifiers
The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used.
(c) Code sets
(1) In general
The Secretary shall adopt standards that-
(A) select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) from among the code sets that have been developed by private and public entities; or
(B) establish code sets for such data elements if no code sets for the data elements have been developed.
(2) Distribution
The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1320d–3(b) of this title.
(d) Security standards for health information
(1) Security standards
The Secretary shall adopt security standards that-
(A) take into account-
(i) the technical capabilities of record systems used to maintain health information;
(ii) the costs of security measures;
(iii) the need for training persons who have access to health information;
(iv) the value of audit trails in computerized record systems; and
(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and
(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.
(2) Safeguards
Each person described in section 1320d–1(a) of this title who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards-
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated-
(i) threats or hazards to the security or integrity of the information; and
(ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employees of such person.
(e) Electronic signature
(1) Standards
The Secretary, in coordination with the Secretary of Commerce, shall adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1).
(2) Effect of compliance
Compliance with the standards adopted under paragraph (1) shall be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the transactions referred to in subsection (a)(1).
(f) Transfer of information among health plans
The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.
(g) Operating rules
(1) In general
The Secretary shall adopt a single set of operating rules for each transaction referred to under subsection (a)(1) with the goal of creating as much uniformity in the implementation of the electronic standards as possible. Such operating rules shall be consensus-based and reflect the necessary business rules affecting health plans and health care providers and the manner in which they operate pursuant to standards issued under Health Insurance Portability and Accountability Act of 1996.
(2) Operating rules development
In adopting operating rules under this subsection, the Secretary shall consider recommendations for operating rules developed by a qualified nonprofit entity that meets the following requirements:
(A) The entity focuses its mission on administrative simplification.
(B) The entity demonstrates a multi-stakeholder and consensus-based process for development of operating rules, including representation by or participation from health plans, health care providers, vendors, relevant Federal agencies, and other standard development organizations.
(C) The entity has a public set of guiding principles that ensure the operating rules and process are open and transparent, and supports nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory practices.
(D) The entity builds on the transaction standards issued under Health Insurance Portability and Accountability Act of 1996.
(E) The entity allows for public review and updates of the operating rules.
(3) Review and recommendations
The National Committee on Vital and Health Statistics shall-
(A) advise the Secretary as to whether a nonprofit entity meets the requirements under paragraph (2);
(B) review the operating rules developed and recommended by such nonprofit entity;
(C) determine whether such operating rules represent a consensus view of the health care stakeholders and are consistent with and do not conflict with other existing standards;
(D) evaluate whether such operating rules are consistent with electronic standards adopted for health information technology; and
(E) submit to the Secretary a recommendation as to whether the Secretary should adopt such operating rules.
(4) Implementation
(A) In general
The Secretary shall adopt operating rules under this subsection, by regulation in accordance with subparagraph (C), following consideration of the operating rules developed by the non-profit entity described in paragraph (2) and the recommendation submitted by the National Committee on Vital and Health Statistics under paragraph (3)(E) and having ensured consultation with providers.
(B) Adoption requirements; effective dates
(i) Eligibility for a health plan and health claim status
The set of operating rules for eligibility for a health plan and health claim status transactions shall be adopted not later than July 1, 2011, in a manner ensuring that such operating rules are effective not later than January 1, 2013, and may allow for the use of a machine readable identification card.
(ii) Electronic funds transfers and health care payment and remittance advice
The set of operating rules for electronic funds transfers and health care payment and remittance advice transactions shall-
(I) allow for automated reconciliation of the electronic payment with the remittance advice; and
(II) be adopted not later than July 1, 2012, in a manner ensuring that such operating rules are effective not later than January 1, 2014.
(iii) Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization
The set of operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, and referral certification and authorization transactions shall be adopted not later than July 1, 2014, in a manner ensuring that such operating rules are effective not later than January 1, 2016.
(C) Expedited rulemaking
The Secretary shall promulgate an interim final rule applying any standard or operating rule recommended by the National Committee on Vital and Health Statistics pursuant to paragraph (3). The Secretary shall accept and consider public comments on any interim final rule published under this subparagraph for 60 days after the date of such publication.
(h) Compliance
(1) Health plan certification
(A) Eligibility for a health plan, health claim status, electronic funds transfers, health care payment and remittance advice
Not later than December 31, 2013, a health plan shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable standards (as described under paragraph (7) of section 1320d of this title) and associated operating rules (as described under paragraph (9) of such section) for electronic funds transfers, eligibility for a health plan, health claim status, and health care payment and remittance advice, respectively.
(B) Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, referral certification and authorization
Not later than December 31, 2015, a health plan shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable standards and associated operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, and referral certification and authorization, respectively. A health plan shall provide the same level of documentation to certify compliance with such transactions as is required to certify compliance with the transactions specified in subparagraph (A).
(2) Documentation of compliance
A health plan shall provide the Secretary, in such form as the Secretary may require, with adequate documentation of compliance with the standards and operating rules described under paragraph (1). A health plan shall not be considered to have provided adequate documentation and shall not be certified as being in compliance with such standards, unless the health plan-
(A) demonstrates to the Secretary that the plan conducts the electronic transactions specified in paragraph (1) in a manner that fully complies with the regulations of the Secretary; and
(B) provides documentation showing that the plan has completed end-to-end testing for such transactions with their partners, such as hospitals and physicians.
(3) Service contracts
A health plan shall be required to ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under this subsection.
(4) Certification by outside entity
The Secretary may designate independent, outside entities to certify that a health plan has complied with the requirements under this subsection, provided that the certification standards employed by such entities are in accordance with any standards or operating rules issued by the Secretary.
(5) Compliance with revised standards and operating rules
(A) In general
A health plan (including entities described under paragraph (3)) shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable revised standards and associated operating rules under this subsection for any interim final rule promulgated by the Secretary under subsection (i) that-
(i) amends any standard or operating rule described under paragraph (1) of this subsection; or
(ii) establishes a standard (as described under subsection (a)(1)(B)) or associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions.
(B) Date of compliance
A health plan shall comply with such requirements not later than the effective date of the applicable standard or operating rule.
(6) Audits of health plans
The Secretary shall conduct periodic audits to ensure that health plans (including entities described under paragraph (3)) are in compliance with any standards and operating rules that are described under paragraph (1) or subsection (i)(5).
(i) Review and amendment of standards and operating rules
(1) Establishment
Not later than January 1, 2014, the Secretary shall establish a review committee (as described under paragraph (4)).
(2) Evaluations and reports
(A) Hearings
Not later than April 1, 2014, and not less than biennially thereafter, the Secretary, acting through the review committee, shall conduct hearings to evaluate and review the adopted standards and operating rules established under this section.
(B) Report
Not later than July 1, 2014, and not less than biennially thereafter, the review committee shall provide recommendations for updating and improving such standards and operating rules. The review committee shall recommend a single set of operating rules per transaction standard and maintain the goal of creating as much uniformity as possible in the implementation of the electronic standards.
(3) Interim final rulemaking
(A) In general
Any recommendations to amend adopted standards and operating rules that have been approved by the review committee and reported to the Secretary under paragraph (2)(B) shall be adopted by the Secretary through promulgation of an interim final rule not later than 90 days after receipt of the committee's report.
(B) Public comment
(i) Public comment period
The Secretary shall accept and consider public comments on any interim final rule published under this paragraph for 60 days after the date of such publication.
(ii) Effective date
The effective date of any amendment to existing standards or operating rules that is adopted through an interim final rule published under this paragraph shall be 25 months following the close of such public comment period.
(4) Review committee
(A) Definition
For the purposes of this subsection, the term "review committee' means a committee chartered by or within the Department of Health and Human services that has been designated by the Secretary to carry out this subsection, including-
(i) the National Committee on Vital and Health Statistics; or
(ii) any appropriate committee as determined by the Secretary.
(B) Coordination of HIT standards
In developing recommendations under this subsection, the review committee shall ensure coordination, as appropriate, with the standards that support the certified electronic health record technology approved by the Office of the National Coordinator for Health Information Technology.
(5) Operating rules for other standards adopted by the Secretary
The Secretary shall adopt a single set of operating rules (pursuant to the process described under subsection (g)) for any transaction for which a standard had been adopted pursuant to subsection (a)(1)(B).
(j) Penalties
(1) Penalty fee
(A) In general
Not later than April 1, 2014, and annually thereafter, the Secretary shall assess a penalty fee (as determined under subparagraph (B)) against a health plan that has failed to meet the requirements under subsection (h) with respect to certification and documentation of compliance with-
(i) the standards and associated operating rules described under paragraph (1) of such subsection; and
(ii) a standard (as described under subsection (a)(1)(B)) and associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions.
(B) Fee amount
Subject to subparagraphs (C), (D), and (E), the Secretary shall assess a penalty fee against a health plan in the amount of $1 per covered life until certification is complete. The penalty shall be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance and shall be imposed against the health plan for each day that the plan is not in compliance with the requirements under subsection (h).
(C) Additional penalty for misrepresentation
A health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance under subsection (h) shall be subject to a penalty fee that is double the amount that would otherwise be imposed under this subsection.
(D) Annual fee increase
The amount of the penalty fee imposed under this subsection shall be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the Secretary.
(E) Penalty limit
A penalty fee assessed against a health plan under this subsection shall not exceed, on an annual basis-
(i) an amount equal to $20 per covered life under such plan; or
(ii) an amount equal to $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information (as described under subparagraph (C)).
(F) Determination of covered individuals
The Secretary shall determine the number of covered lives under a health plan based upon the most recent statements and filings that have been submitted by such plan to the Securities and Exchange Commission.
(2) Notice and dispute procedure
The Secretary shall establish a procedure for assessment of penalty fees under this subsection that provides a health plan with reasonable notice and a dispute resolution procedure prior to provision of a notice of assessment by the Secretary of the Treasury (as described under paragraph (4)(B)).
(3) Penalty fee report
Not later than May 1, 2014, and annually thereafter, the Secretary shall provide the Secretary of the Treasury with a report identifying those health plans that have been assessed a penalty fee under this subsection.
(4) Collection of penalty fee
(A) In general
The Secretary of the Treasury, acting through the Financial Management Service, shall administer the collection of penalty fees from health plans that have been identified by the Secretary in the penalty fee report provided under paragraph (3).
(B) Notice
Not later than August 1, 2014, and annually thereafter, the Secretary of the Treasury shall provide notice to each health plan that has been assessed a penalty fee by the Secretary under this subsection. Such notice shall include the amount of the penalty fee assessed by the Secretary and the due date for payment of such fee to the Secretary of the Treasury (as described in subparagraph (C)).
(C) Payment due date
Payment by a health plan for a penalty fee assessed under this subsection shall be made to the Secretary of the Treasury not later than November 1, 2014, and annually thereafter.
(D) Unpaid penalty fees
Any amount of a penalty fee assessed against a health plan under this subsection for which payment has not been made by the due date provided under subparagraph (C) shall be-
(i) increased by the interest accrued on such amount, as determined pursuant to the underpayment rate established under section 6621 of the Internal Revenue Code of 1986; and
(ii) treated as a past-due, legally enforceable debt owed to a Federal agency for purposes of section 6402(d) of the Internal Revenue Code of 1986.
(E) Administrative fees
Any fee charged or allocated for collection activities conducted by the Financial Management Service will be passed on to a health plan on a pro-rata basis and added to any penalty fee collected from the plan.
(Aug. 14, 1935, ch. 531, title XI, §1173, as added
Editorial Notes
References in Text
The Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (g)(1), (2)(D), is
The Internal Revenue Code of 1986, referred to in subsec. (j)(4)(D)(i), (ii), is classified generally to Title 26, Internal Revenue Code.
Prior Provisions
A prior section 1173 of act Aug. 14, 1935, was classified to section 1320c–22 of this title prior to the general amendment of part B of this subchapter by
Amendments
2010-Subsec. (a)(1)(B).
Subsec. (a)(2)(J).
Subsec. (a)(4).
Subsec. (a)(5).
Subsecs. (g) to (j).
Statutory Notes and Related Subsidiaries
Guidance on Protected Health Information
Making T–MSIS Data on Substance Use Disorders Available to Researchers
"(1)
"(2)
"(3)
Accessing, Sharing, and Using Health Data for Research Purposes
"(a)
"(1) at a minimum, security and privacy safeguards, consistent with the requirements of the Rule, are maintained by the covered entity and the researcher; and
"(2) the protected health information is not copied or otherwise retained by the researcher.
"(b)
"(1)
"(A) sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research;
"(B) either-
"(i) states that the authorization will expire on a particular date or on the occurrence of a particular event; or
"(ii) states that the authorization will remain valid unless and until it is revoked by the individual; and
"(C) provides instruction to the individual on how to revoke such authorization at any time.
"(2)
"(3)
"(c)
"(1)
"(2)
"(A) relevant Federal agencies, including the National Institutes of Health, the Centers for Disease Control and Prevention, the Food and Drug Administration, and the Office for Civil Rights;
"(B) the research community;
"(C) patients;
"(D) experts in civil rights, such as privacy rights;
"(E) developers of health information technology;
"(F) experts in data privacy and security;
"(G) health care providers;
"(H) bioethicists; and
"(I) other experts and entities, as the Secretary determines appropriate.
"(3)
"(A) address, at a minimum-
"(i) the appropriate manner and timing of authorization, including whether additional notification to the individual should be required when the individual's protected health information will be used or disclosed for such research;
"(ii) opportunities for individuals to set preferences on the manner in which their protected health information is used in research;
"(iii) opportunities for patients to revoke authorization;
"(iv) notification to individuals of a breach in privacy;
"(v) existing gaps in statute, regulation, or policy related to protecting the privacy of individuals, and
"(vi) existing barriers to research related to the current restrictions on the uses and disclosures of protected health information; and
"(B) consider, at a minimum-
"(i) expectations and preferences on how an individual's protected health information is shared and used;
"(ii) issues related to specific subgroups of people, such as children, incarcerated individuals, and individuals with a cognitive or intellectual disability impacting capacity to consent;
"(iii) relevant Federal and State laws;
"(iv) models of facilitating data access and levels of data access, including data segmentation, where applicable;
"(v) potential impacts of disclosure and non-disclosure of protected health information on access to health care services; and
"(vi) the potential uses of such data.
"(4)
"(5)
"(d)
"(1)
"(2)
Clarification on Permitted Uses and Disclosures of Protected Health Information
"(a)
"(b)
"(1)
"(2)
"(A) require the consent of the patient;
"(B) require providing the patient with an opportunity to object;
"(C) are based on the exercise of professional judgment regarding whether the patient would object when the opportunity to object cannot practicably be provided because of the incapacity of the patient or an emergency treatment circumstance; and
"(D) are determined, based on the exercise of professional judgment, to be in the best interest of the patient when the patient is not present or otherwise incapacitated.
"(3)
"(A) communicating with a family member of the patient, caregiver of the patient, or other individual, to the extent that such family member, caregiver, or individual is involved in the care of the patient;
"(B) in the case that the patient is an adult, communicating with a family member of the patient, caregiver of the patient, or other individual involved in the care of the patient;
"(C) in the case that the patient is a minor, communicating with the parent or caregiver of the patient;
"(D) involving the family members or caregivers of the patient, or others involved in the patient's care or care plan, including facilitating treatment and medication adherence;
"(E) listening to the patient, or receiving information with respect to the patient from the family or caregiver of the patient;
"(F) communicating with family members of the patient, caregivers of the patient, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
"(G) communicating to law enforcement and family members or caregivers of the patient about the admission of the patient to receive care at, or the release of a patient from, a facility for an emergency psychiatric hold or involuntary treatment."
Development and Dissemination of Model Training Programs
"(a)
"(1) Model programs and materials for training health care providers (including physicians, emergency medical personnel, psychiatrists, including child and adolescent psychiatrists, psychologists, counselors, therapists, nurse practitioners, physician assistants, behavioral health facilities and clinics, care managers, and hospitals, including individuals such as general counsels or regulatory compliance staff who are responsible for establishing provider privacy policies) regarding the permitted uses and disclosures, consistent with the standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.) and regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 [
"(2) A model program and materials for training patients and their families regarding their rights to protect and obtain information under the standards and regulations specified in paragraph (1).
"(b)
"(1) periodically review and update the model programs and materials identified or developed under subsection (a); and
"(2) disseminate the updated model programs and materials to the individuals described in subsection (a).
"(c)
"(d)
"(e)
"(1) $4,000,000 for fiscal year 2018;
"(2) $2,000,000 for each of fiscal years 2019 and 2020; and
"(3) $1,000,000 for each of fiscal years 2021 and 2022."
Delay in Transition From ICD–9 to ICD–10 Code Sets
Promulgation of Rules
"(1)
"(2)
"(3)
Activities and Items for Initial Consideration; ICD Coding Crosswalks
"(b)
"(1) Whether the application process, including the use of a uniform application form, for enrollment of health care providers by health plans could be made electronic and standardized.
"(2) Whether standards and operating rules described in section 1173 of the Social Security Act should apply to the health care transactions of automobile insurance, worker's compensation, and other programs or persons not described in section 1172(a) of such Act (42 U.S.C. 1320d–1(a)).
"(3) Whether standardized forms could apply to financial audits required by health plans, Federal and State agencies (including State auditors, the Office of the Inspector General of the Department of Health and Human Services, and the Centers for Medicare & Medicaid Services), and other relevant entities as determined appropriate by the Secretary.
"(4) Whether there could be greater transparency and consistency of methodologies and processes used to establish claim edits used by health plans (as described in section 1171(5) of the Social Security Act (42 U.S.C. 1320d(5))).
"(5) Whether health plans should be required to publish their timeliness of payment rules.
"(c) ICD
"(1) ICD–9
"(2)
"(3)
"(4)
Recommendations With Respect to Privacy of Certain Health Information
"(a)
"(b)
"(1) The rights that an individual who is a subject of individually identifiable health information should have.
"(2) The procedures that should be established for the exercise of such rights.
"(3) The uses and disclosures of such information that should be authorized or required.
"(c)
"(1)
"(2)
"(d)
"(1) the National Committee on Vital and Health Statistics established under section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)); and
"(2) the Attorney General."
Executive Documents
Ex. Ord. No. 13181. To Protect the Privacy of Protected Health Information in Oversight Investigations
Ex. Ord. No. 13181, Dec. 20, 2000, 65 F.R. 81321, provided:
By the authority vested in me as President of the United States by the Constitution and the laws of the United States of America, it is ordered as follows:
It shall be the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. Protecting the privacy of patients' protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health. In order to provide greater protections to patients' privacy, the Department of Health and Human Services is issuing final regulations concerning the confidentiality of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 [
Under the new HIPAA regulations, health oversight investigators will appropriately have ready access to medical records for oversight purposes. Health oversight investigators generally do not seek access to the medical records of a particular patient, but instead review large numbers of records to determine whether a health care provider or organization is violating the law, such as through fraud against the Medicare system. Access to many health records is often necessary in order to gain enough evidence to detect and bring enforcement actions against fraud in the health care system. Stricter rules apply under the HIPAA regulations, however, when law enforcement officials seek protected health information in order to investigate criminal activity outside of the health oversight realm.
In the course of their efforts to protect the health care system, health oversight investigators may also uncover evidence of wrongdoing unrelated to the health care system, such as evidence of criminal conduct by an individual who has sought health care. For records containing that evidence, the issue thus arises whether the information should be available for law enforcement purposes under the less restrictive oversight rules or the more restrictive rules that apply to non-oversight criminal investigations.
A similar issue has arisen in other circumstances. Under 18 U.S.C. 3486, an individual's health records obtained for health oversight purposes pursuant to an administrative subpoena may not be used against that individual patient in an unrelated investigation by law enforcement unless a judicial officer finds good cause. Under that statute, a judicial officer determines whether there is good cause by weighing the public interest and the need for disclosure against the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. It is appropriate to extend limitations on the use of health information to all situations in which the government obtains medical records for a health oversight purpose. In recognition of the increasing importance of protecting health information as shown in the medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is necessary. It is, therefore, the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual, discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations, against that individual except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.
(a) "Health oversight activities" shall include the oversight activities enumerated in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the "Health Insurance Portability and Accountability Act of 1996," as amended [
(b) "Protected health information" shall have the meaning ascribed to it in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the "Health Insurance Portability and Accountability Act of 1996," as amended.
(c) "Injury to the patient" includes injury to the privacy interests of the patient.
(a) Protected health information concerning an individual patient discovered during the course of health oversight activities shall not be used against that individual patient in an unrelated civil, administrative, or criminal investigation of a non-health oversight matter unless the Deputy Attorney General of the U.S Department of Justice, or insofar as the protected health information involves members of the Armed Forces, the General Counsel of the U.S. Department of Defense, has authorized such use.
(b) In assessing whether protected health information should be used under subparagraph (a) of this section, the Deputy Attorney General shall permit such use upon concluding that the balance of relevant factors weighs clearly in favor of its use. That is, the Deputy Attorney General shall permit disclosure if the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.
(c) Upon the decision to use protected health information under subparagraph (a) of this section, the Deputy Attorney General, in determining the extent to which this information should be used, shall impose appropriate safeguards against unauthorized use.
(d) On an annual basis, the Department of Justice, in consultation with the Department of Health and Human Services, shall provide to the President of the United States a report that includes the following information:
(i) the number of requests made to the Deputy Attorney General for authorization to use protected health information discovered during health oversight activities in a non-health oversight, unrelated investigation;
(ii) the number of requests that were granted as applied for, granted as modified, or denied;
(iii) the agencies that made the applications, and the number of requests made by each agency; and
(iv) the uses for which the protected health information was authorized.
(e) The General Counsel of the U.S. Department of Defense will comply with the requirements of subparagraphs (b), (c), and (d), above. The General Counsel also will prepare a report, consistent with the requirements of subparagraphs (d)(i) through (d)(iv), above, and will forward it to the Department of Justice where it will be incorporated into the Department's annual report to the President.
(a) Nothing in this Executive Order shall place a restriction on the derivative use of protected health information that was obtained by a law enforcement agency in a non-health oversight investigation.
(b) Nothing in this Executive Order shall be interpreted to place a restriction on a duty imposed by statute.
(c) Nothing in this Executive Order shall place any additional limitation on the derivative use of health information obtained by the Attorney General pursuant to the provisions of 18 U.S.C. 3486.
(d) This order does not create any right or benefit, substantive or procedural, enforceable at law by a party against the United States, the officers and employees, or any other person.
William J. Clinton.