|
Healthcare Leadership Council
May 27, 2004
Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve System
20th Street and Constitution Ave., NW
Washington, DC 20551
Docket Number R-1188
Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mail Stop 1-5
Washington, DC 20219
Docket Number 04-09
Robert E. Feldman, Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
RIN 3064-AC81
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G St., NW
Washington, DC 20552
Attention: No. 2004-16
Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Re: Fair Credit Reporting Medical Information Regulations/Proposed
Rule
Ladies and Gentlemen:
On behalf of the Confidentiality Coalition, which is chaired by the
Healthcare Leadership Council (HLC), we are submitting to you comments
regarding the proposed regulations implementing the Fair and Accurate
Credit Transactions Act of 2003 (FACT Act)1, which amends
portions of the Fair Credit Reporting Act (FCRA or Act)2.
HLC organized the Confidentiality Coalition more than five years ago,
and it has grown to more than one hundred members, encompassing a broad
spectrum of providers, payors, and other health care industry
stakeholders. The Coalition supports the development and enforcement of
safe and effective regulations governing the confidentiality of medical
information. The Coalition is very concerned that the proposed rule,
unless clarified by each of your respective agencies (the "agencies"),
will likely be misinterpreted as modifying, altering, and in some cases
superseding, existing federal law regarding medical information — a
result that would be directly contrary to Congress' intent.
Since April 2003, the Health Insurance Portability and Accountability
Act (HIPAA) privacy rule has required health care providers, plans, and
clearinghouses to comply with comprehensive, national standards
regarding both the use (for internal purposes) and the disclosure (to
external parties, including components of their organizations not
involved in the provision of health care or health benefits) of health
information.3 Unfortunately, the tremendous HIPAA compliance
efforts made by covered entities over the past year could be undermined
or disrupted if the proposed rule remains as currently drafted:
susceptible to interpretation as modifying, limiting, or prohibiting the
permissible use and disclosure of health information by HIPAA covered
entities, including the use and disclosure of health information by and
among affiliates. Consequently, the Coalition strongly encourages the
consideration of the following comments on the proposed rule.
All proposed additions to the proposed rule are indicated in italics.
All proposed subtractions from the proposed rule are bracketed and
struck through.
Comment 1: Clarification of the Purpose of the Proposed Rule
As an initial - and essential - matter, each agency should clarify
the purpose of the proposed rule by addressing its relationship to
existing medical confidentiality laws, including state laws. The FCRA,
as amended, provides unambiguous guidance on this matter: the FCRA's
provisions regarding the protection of medical information are not to be
"construed as altering, affecting, or superseding the applicability of
any other provision of Federal law relating to medical confidentiality."4
Moreover, the FACT Act amendments do not expressly require or even
imply that FCRA be extended to regulate entities already regulated by
HIPAA. HIPAA and the FCRA share similar purposes with respect to
privacy: each has a separate set of regulated activities, and each is
premised on similar assumptions, such as the importance of individual
consent or authorization of uses. As amended, the FCRA, like HIPAA,
prohibits the use or disclosure of the information to which it applies
without the consent of the individual5 or unless authorized by the
amended FCRA – even though the specific requirements of the Act
regarding the form of consent (or the permissible uses) do not parallel
those of the HIPAA regulation.
The FACT Act's drafters attempted to deal with concerns regarding the
scope of the legislation by "carving out" from critical definitions the
information and activities that already are regulated by HIPAA. In
implementation, a failure to appreciate the broader HIPAA regulatory
regime could lead to an inappropriate interpretation of the FACT Act
language in relating the provisions of the FCRA to the provisions of
HIPAA. If this resulted in enforcement activities under the FCRA that
had the effect of prohibiting some disclosures of health information
that are permissible disclosures under HIPAA, the result would serve
only to confuse patients and HIPAA covered entities regarding
permissible activities, without enhancing the protection afforded
patients regarding their health information. Moreover, such a result
would be contrary to the FACT Act's provision that its provisions not
alter, affect, or supersede current Federal law regarding medical
confidentiality (e.g., the HIPAA privacy rule).6
In light of the foregoing, we strongly encourage each of the
regulatory agencies to adopt within Section ---.1 of their respective
rules a "purpose" statement that is consistent with this statutory
requirement. This statement could be incorporated into a broader purpose
statement (as illustrated below in the italicized language regarding
OCC's proposed purpose statement in 12 C.F.R. Sec. 41.1(a)), or could be
a stand-alone statement within Section ---.1 for each of the respective
agencies.
Proposed Changes Regarding Comment 1:
Section ---.41.1(a) Purpose
Current: "The purpose of this part is to establish standards for
national banks in key areas of regulation regarding consumer report
information and fair credit. In addition, the purpose of this part is to
specify the type of information, including medical information, national
banks may obtain, use, or share among affiliates. This part also
contains a number of measures national banks must take to combat
consumer fraud and related crimes, including identity theft."
Proposed Change: "The purpose of this part is to establish standards
for national banks in key areas of regulation regarding consumer report
information and fair credit. In addition, the purpose of this part is to
specify the type of information, including medical information, national
banks may obtain, use, or share among affiliates. This part also
contains a number of measures national banks must take to combat
consumer fraud and related crimes, including identity theft. Any
provisions to the contrary notwithstanding, this part does not, and
shall not be construed to, alter, affect, or supersede the obligations
of entities that already are directly or indirectly subject to
regulation with respect to the use of medical or medically-related
information under the Standards for Privacy of Individually Identifiable
Health Information promulgated pursuant to the Health Insurance
Portability and Accountability Act of 1996 (the "privacy rule"). Any
use, disclosure, or other activity related to medical or
medically-related information by a covered entity that is permissible
under the privacy rule, shall likewise be permissible under, and not
altered, affected, or superseded by, this part."
Comment 2: Permissible Disclosures by Affiliates
Our second comment concerns the proposed rule's limitations upon the
communication of medical information between affiliates. Specifically,
the proposed rule limits the medical information that can be in a
consumer report, and significantly narrows the scope of information
(other than a consumer report) that may be freely communicated among
affiliates and commonly owned entities. Indeed, except for information
that is disclosed for certain purposes — including for any purpose
permitted without authorization under the HIPAA privacy rule7
— the provision permitting information to be more freely shared among
affiliates and commonly owned persons does not apply, to
information that is (1) medical information; (2) an individualized list
or description based on the payment transactions of the consumer for
medical products or services; or (3) an aggregate list of identified
consumers based on payment transactions for medical products or
services.8
Our concern is that information lawfully disclosed by a HIPAA covered
entity (such as a hospital or other provider, or a health insurer or
other health plan) to, for example, an affiliate of a consumer reporting
agency pursuant to a specific authorization of the patient (such
as an authorization to disclose health information in order to perform
health outcomes research, or other activities specifically authorized by
the patient), arguably could be considered "medical information" as
defined and regulated by the FCRA and the proposed rule. By way of
example, consider a health plan that is planning to conduct a fundraiser
on behalf of a condition-specific charity. HIPAA would permit the health
plan, when authorized in writing by the individual, to disclose
condition-specific medical information to an affiliate (including one
that also provides consumer reporting services) that would contact
individuals about potential contributions to the charity. If the
proposed rule were used to preclude or otherwise affect the disclosure
of medical information among affiliates where specifically authorized by
the individual, it would, in our view, be a very critical
misinterpretation of the FCRA, as amended by the FACT Act.
A second possible misinterpretation of the FCRA, as amended, could
arise where a HIPAA covered entity is an affiliate or under common
ownership with a consumer reporting agency that is subject to the
affiliate sharing rules of the FCRA. As noted above, the HIPAA privacy
rule establishes comprehensive, national standards for the use and
disclosure of health information. The privacy rule regulates not only
disclosures of health information to unrelated third parties, but also
regulates the use and disclosure of health information by a covered
entity – such as a physician group, hospital, health plan, or a clinic -
to its affiliates. Indeed, disclosures of health information among
affiliates are directly and rigorously regulated by the privacy rule.
For example, should commonly owned covered entities desire to treat
themselves as a single covered entity for purposes of HIPAA, the
affiliated entities must document such designation and comply as a
single covered entity with HIPAA's requirements.9 Further,
should a covered entity that designates itself as an "affiliated covered
entity" perform multiple covered functions (for example, it is both a
health care provider and a health plan), then the affiliated covered
entity must comply with the HIPAA standards for each of those functions.10
Any failure to comply with these requirements would constitute a
violation of HIPAA, punishable by civil and possibly criminal penalties.
Likewise, any covered entity that chooses not to designate itself as an
affiliated covered entity with commonly owned entities must comply with
HIPAA by treating its affiliates in the same manner prescribed for
disclosures to unrelated third parties. For example, if a hospital is
affiliated with a health insurer, but the two do not formally
designate themselves as an affiliated covered entity, then the health
information of all the patients of the hospital and all the participants
of the health plan will be treated under HIPAA as if the hospital and
the insurer were completely unrelated parties. In our view, the sharing
of medical information among participating entities that are part of an
"affiliated covered entity" is regulated by the privacy rule in a manner
that fully satisfies the amended FCRA's concerns regarding
confidentiality, and such sharing should not also be subject to the
FCRA's provisions regarding affiliate sharing. If a hospital or health
plan also happens to be under common ownership with a consumer reporting
agency, and if the provisions limiting the sharing of "medical
information" were made applicable to the use and disclosure of health
information by the health care component of the hospital or health plan,
the HIPAA compliance arrangements of these entities would be thrown into
jeopardy.
Consequently, we believe that any interpretation of the amended FCRA
that does not permit HIPAA covered entities to use and to disclose
information to affiliated entities to the full extent permitted under
the privacy rule, and without implicating the FCRA's regulation of
consumer reports, is not only erroneous under the terms of the FCRA, as
amended, but raises unnecessary compliance burdens for entities that
already are subject to HIPAA regulation with respect to the very same
activity. In light of the foregoing, we strongly encourage each of the
regulatory agencies to adopt within Section ---.31(b)(2) of their
respective rules the language proposed below.
Proposed Changes Regarding Comment 2:
1. Section ---.31(b)(2)
Current: "For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA)."
Proposed Change: [For any purpose permitted without
authorization] "As permitted
under the regulations promulgated by the Department of Health and Human
Services pursuant to the Health Insurance Portability and Accountability
Act of 1996 (HIPAA)."
2. As an alternative to the first proposed change for Comment 2,
pursuant to the authority provided under Section ----.31(b)(6) of the
proposed rule, the agency should clarify through the issuance of an
appropriate order that the special restrictions on sharing medical and
medical-related information with affiliates do not apply to information
shared "as permitted under the regulations promulgated by the Department
of Health and Human Services pursuant to the Health Insurance
Portability and Accountability Act of 1996 (HIPAA)."
The Coalition believes that the recommended changes to the proposed
rule are both necessary and appropriate to allow for the appropriate
sharing of medical and medical-related information. For the reasons
provided above, HLC strongly recommends the adoption of the proposed,
modest, changes to the proposed rule, or, in the alternative, the
issuance of an order by the agency, in order to ensure the effective
implementation and operation of the proposed rule.
Sincerely,
Mary R. Grealy
President
1 Public Law 108-159, 117 Stat. 1952.
2 15 U.S.C. §§ 1681-1681x.
3 Title II, Subtitle F of the Health Insurance
Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat.
1936 ("HIPAA") established new federal requirements for the
"administrative simplification" of the transmission, storage, use, and
disclosure of health information. The HIPAA privacy rule was promulgated
in the Standards for Privacy of Individually Identifiable Health
Information, 45 C.F.R. pts. 160 and 164.
4 15 U.S.C. § 1681 b(g)(6). Under HIPAA, the federal law of
medical privacy states that state laws apply unless they are
specifically preempted as being contrary to and less protective of
privacy than the federal standards. HIPAA § 264 (c)(2); see also 45
C.F.R. § 160.203.
5 15 U.S.C. § 1681 b(g), as amended by section 411(a) of the
FACT Act.
6 15 U.S.C. § 1681 b(g)(6).
7 15 U.S.C. § 1681b(g)(3)(B). This carve-out under the
amended FCRA for information that is disclosed for purposes that are
permitted without an authorization (e.g., limited disclosures for
treatment, public health reporting) under the HIPAA privacy rule appears
on its face not to apply to health information that is disclosed under
the HIPAA privacy rule pursuant to an authorization (e.g., research,
life insurance applications, employment). However, to treat the two
categories of information – disclosures pursuant to an authorization,
and disclosures not requiring an authorization – differently under the
FCRA, when they are both legitimate and permissible disclosures under
the HIPAA privacy rule, is inconsistent with HIPAA's goal of
administrative simplification, and indeed will only complicate the
implementation and administration of the HIPAA privacy rule.
8 15 U.S.C. § 1681a(d)(3).
9 45 C.F.R. § 164.504(d).
10 45 C.F.R. § 164.504(g).
|
