Excerpted HIPAA Reference

8/18/2019 Excerpted HIPAA Reference

http://slidepdf.com/reader/full/excerpted-hipaa-reference 1/3

Wednesday,

August 14, 2002

Part V

Department ofHealth and HumanServicesOffice of the Secretary

45 CFR Parts 160 and 164

Standards for Privacy of IndividuallyIdentifiable Health Information; FinalRule

VerDate Aug<2,>2002 19:04 Aug 13, 2002 Jkt 197001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\14AUR4.SGM pfrm17 PsN: 14AUR4



53182 Federal Register / Vol. 67, No. 157 / Wednesday, August 14, 2002/ Rules and Regulations

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991–AB14

Standards for Privacy of Individually

Identifiable Health Information

AGENCY: Office for Civil Rights, HHS.ACTION: Final rule.

SUMMARY: The Department of Health andHuman Services (‘‘HHS’’ or‘‘Department’’) modifies certainstandards in the Rule entitled‘‘Standards for Privacy of IndividuallyIdentifiable Health Information’’(‘‘Privacy Rule’’). The Privacy Ruleimplements the privacy requirements ofthe Administrative Simplificationsubtitle of the Health InsurancePortability and Accountability Act of

1996.The purpose of these modifications is

to maintain strong protections for theprivacy of individually identifiablehealth information while clarifyingcertain of the Privacy Rule’s provisions,addressing the unintended negativeeffects of the Privacy Rule on healthcare quality or access to health care, andrelieving unintended administrative

burdens created by the Privacy Rule.DATES: This final rule is effective onOctober 15, 2002.FOR FURTHER INFORMATION CONTACT: Felicia Farmer, 1–866–OCR–PRIV (1–

866–627–7748) or TTY 1–866–788–4989.

SUPPLEMENTARY INFORMATION: Availability of copies, and electronicaccess.

Copies: To order copies of the FederalRegister containing this document, sendyour request to: New Orders,Superintendent of Documents, P.O. Box371954, Pittsburgh, PA 15250–7954.Specify the date of the issue requestedand enclose a check or money orderpayable to the Superintendent ofDocuments, or enclose your Visa orMaster Card number and expiration

date. Credit card orders can also beplaced by calling the order desk at (202)512–1800 (or toll-free at 1–866–512–1800) or by fax to (202) 512–2250. Thecost for each copy is $10.00.Alternatively, you may view andphotocopy the Federal Register document at most libraries designatedas Federal Depository Libraries and atmany other public and academiclibraries throughout the country thatreceive the Federal Register.

Electronic Access: This document isavailable electronically at the HHS

Office for Civil Rights (OCR) PrivacyWeb site at http://www.hhs.gov/ocr/ hipaa/, as well as at the web site of theGovernment Printing Office at http:// www.access.gpo.gov/su _docs/aces/ aces140.html.

I. Background

A. Statutory Background

Congress recognized the importanceof protecting the privacy of healthinformation given the rapid evolution ofhealth information systems in theHealth Insurance Portability andAccountability Act of 1996 (HIPAA),Public Law 104–191, which became lawon August 21, 1996. HIPAA’sAdministrative Simplificationprovisions, sections 261 through 264 ofthe statute, were designed to improvethe efficiency and effectiveness of thehealth care system by facilitating theelectronic exchange of information withrespect to certain financial and

administrative transactions carried out by health plans, health careclearinghouses, and health careproviders who transmit informationelectronically in connection with suchtransactions. To implement theseprovisions, the statute directed HHS toadopt a suite of uniform, nationalstandards for transactions, uniquehealth identifiers, code sets for the dataelements of the transactions, security ofhealth information, and electronicsignature.

At the same time, Congressrecognized the challenges to the

confidentiality of health informationpresented by the increasing complexityof the health care industry, and byadvances in the health informationsystems technology andcommunications. Thus, theAdministrative Simplificationprovisions of HIPAA authorized theSecretary to promulgate standards forthe privacy of individually identifiablehealth information if Congress did notenact health care privacy legislation byAugust 21, 1999. HIPAA also requiredthe Secretary of HHS to provideCongress with recommendations for

legislating to protect the confidentialityof health care information. TheSecretary submitted suchrecommendations to Congress onSeptember 11, 1997, but Congress didnot pass such legislation within its self-imposed deadline.

With respect to these regulations,HIPAA provided that the standards,implementation specifications, andrequirements established by theSecretary not supersede any contraryState law that imposes more stringentprivacy protections. Additionally,

Congress required that HHS consultwith the National Committee on Vitaland Health Statistics, a Federal advisorycommittee established pursuant tosection 306(k) of the Public HealthService Act (42 U.S.C. 242k(k)), and theAttorney General in the development ofHIPAA privacy standards.

After a set of HIPAA Administrative

Simplification standards is adopted bythe Department, HIPAA provides HHSwith authority to modify the standardsas deemed appropriate, but not morefrequently than once every 12 months.However, modifications are permittedduring the first year after adoption ofthe standards if the changes arenecessary to permit compliance with thestandards. HIPAA also provides thatcompliance with modifications tostandards or implementationspecifications must be accomplished bya date designated by the Secretary,which may not be earlier than 180 days

after the adoption of the modification.B. Regulatory and Other Actions to Date

HHS published a proposed Rulesetting forth privacy standards forindividually identifiable healthinformation on November 3, 1999 (64FR 59918). The Department receivedmore than 52,000 public comments inresponse to the proposal. Afterreviewing and considering the publiccomments, HHS issued a final Rule (65FR 82462) on December 28, 2000,establishing ‘‘Standards for Privacy ofIndividually Identifiable HealthInformation’’ (‘‘Privacy Rule’’).

In an era where consumers areincreasingly concerned about theprivacy of their personal information,the Privacy Rule creates, for the firsttime, a floor of national protections forthe privacy of their most sensitiveinformation—health information.Congress has passed other laws toprotect consumers’ personal informationcontained in bank, credit card, otherfinancial records, and even videorentals. These health privacyprotections are intended to provideconsumers with similar assurances thattheir health information, including

genetic information, will be properlyprotected. Under the Privacy Rule,health plans, health care clearinghouses,and certain health care providers mustguard against misuse of individuals’identifiable health information and limitthe sharing of such information, andconsumers are afforded significant newrights to enable them to understand andcontrol how their health information isused and disclosed.

After publication of the Privacy Rule,HHS received many inquiries andunsolicited comments through




53233Federal Register / Vol. 67, No. 157 / Wednesday, August 14, 2002/ Rules and Regulations

any unique, identifying number,characteristic, or code. Yet, the PrivacyRule permits a covered entity to assigna code or other record identification tothe information so that it may be re-identified by the covered entity at somelater date.

The Department did not intend sucha re-identification code to be considered

one of the unique, identifying numbersor codes that prevented the informationfrom being de-identified. Therefore, theDepartment proposed a technicalmodification to the safe harborprovisions explicitly to except the re-identification code or other means ofrecord identification permitted by§ 164.514(c) from the listed identifiers(§ 164.514(b)(2)(i)(R)).

Overview of Public Comments. Thefollowing provides an overview of thepublic comment received on thisproposal. Additional commentsreceived on this issue are discussed

below in the section entitled, ‘‘Responseto Other Public Comments.’’

All commenters on our clarification ofthe safe harbor re-identification codenot being an enumerated identifiersupported our proposed regulatoryclarification.

Final Modifications. Based on theDepartment’s intent that the re-identification code not be consideredone of the enumerated identifiers thatmust be excluded under the safe harborfor de-identification, and the publiccomment supporting this clarification,the Department adopts the provision as

proposed. The re-identification code orother means of record identificationpermitted by § 164.514(c) is expresslyexcepted from the listed safe harboridentifiers at § 164.514(b)(2)(i)(R).

Response to Other Public Comments

Comment: One commenter asked ifdata can be linked inside the coveredentity and a dummy identifiersubstituted for the actual identifierwhen the data is disclosed to theexternal researcher, with control of thedummy identifier remaining with thecovered entity.

Response: The Privacy Rule does notrestrict linkage of protected healthinformation inside a covered entity. Themodel that the commenter describes forthe dummy identifier is consistent withthe re-identification code allowed underthe Rule’s safe harbor so long as thecovered entity does not generate thedummy identifier using anyindividually identifiable information.For example, the dummy identifiercannot be derived from the individual’ssocial security number, birth date, orhospital record number.

Comment: Several commenters whosupported the creation of de-identifieddata for research based on removal offacial identifiers asked if a keyed-hashmessage authentication code (HMAC)can be used as a re-identification codeeven though it is derived from patientinformation, because it is not intendedto re-identify the patient and it is not

possible to identify the patient from thecode. The commenters stated that use ofthe keyed-hash message authenticationcode would be valuable for research,public health and bio-terrorismdetection purposes where there is aneed to link clinical events on the sameperson occurring in different health caresettings (e.g. to avoid double counting ofcases or to observe long-term outcomes).

These commenters referenced FederalInformation Processing Standard (FIPS)198: ‘‘The Keyed-Hash MessageAuthentication Code.’’ This standarddescribes a keyed-hash message

authentication code (HMAC) as amechanism for message authenticationusing cryptographic hash functions. TheHMAC can be used with any iterativeapproved cryptographic hash function,in combination with a shared secret key.A hash function is an approvedmathematical function that maps astring of arbitrary length (up to a pre-determined maximum size) to a fixedlength string. It may be used to producea checksum, called a hash value ormessage digest, for a potentially longstring or message.

According to the commenters, theHMAC can only be breached when the

key and the identifier from which theHMAC is derived and the de-identifiedinformation attached to this code areknown to the public. It is commonpractice that the key is limited in timeand scope (e.g. only for the purpose ofa single research query) and that datanot be accumulated with such codes(with the code needed for joiningrecords being discarded after the de-identified data has been joined).

Response: The HMAC does not meetthe conditions for use as a re-identification code for de-identifiedinformation. It is derived from

individually identified information andit appears the key is shared with orprovided by the recipient of the data inorder for that recipient to be able to linkinformation about the individual frommultiple entities or over time. Since theHMAC allows identification ofindividuals by the recipient, disclosureof the HMAC violates the Rule. It is notsolely the public’s access to the key thatmatters for these purposes; the coveredentity may not share the key to the re-identification code with anyone,including the recipient of the data,

regardless of whether the intent is tofacilitate re-identification or not.

The HMAC methodology, however,may be used in the context of thelimited data set, discussed below. Thelimited data set contains individuallyidentifiable health information and isnot a de-identified data set. Creation ofa limited data set for research with a

data use agreement, as specified in§ 164.514(e), would not precludeinclusion of the keyed-hash messageauthentication code in the limited dataset. The Department encouragesinclusion of the additional safeguardsmentioned by the commenters as part ofthe data use agreement whenever theHMAC is used.

Comment: One commenter requestedthat HHS update the safe harbor de-identification standard with prohibited3-digit zip codes based on 2000 Censusdata.

Response: The Department stated in

the preamble to the December 2000Privacy Rule that it would monitor suchdata and the associated re-identificationrisks and adjust the safe harbor asnecessary. Accordingly, the Departmentprovides such updated information inresponse to the above comment. TheDepartment notes that these three-digitzip codes are based on the five-digit zipCode Tabulation Areas created by theCensus Bureau for the 2000 Census.This new methodology also is brieflydescribed below, as it will likely be ofinterest to all users of data tabulated byzip code.

The Census Bureau will not beproducing data files containing U.S.Postal Service zip codes either as part ofthe Census 2000 product series or as apost Census 2000 product. However,due to the public’s interest in havingstatistics tabulated by zip code, theCensus Bureau has created a newstatistical area called the Zip CodeTabulation Area (ZCTA) for Census2000. The ZCTAs were designed toovercome the operational difficulties ofcreating a well-defined zip code area byusing Census blocks (and the addressesfound in them) as the basis for the

ZCTAs. In the past, there has been nocorrelation between zip codes andCensus Bureau geography. Zip codescan cross State, place, county, censustract, block group and census block

boundaries. The geographic entities theCensus Bureau uses to tabulate data arerelatively stable over time. For instance,census tracts are only defined every tenyears. In contrast, zip codes can changemore frequently. Because of the ill-defined nature of zip code boundaries,the Census Bureau has no file(crosswalk) showing the relationship


Excerpted HIPAA Reference

Documents

Transcript of Excerpted HIPAA Reference