Standards
for Privacy of Individually Identifiable Health Information
F. Section 164.512--Uses
and Disclosures for Which Authorization or Opportunity
To Agree or Object Is Not Required
1. Uses and Disclosures Regarding FDA-Regulated Products and Activities
December 2000 Privacy Rule
The Privacy Rule permits covered entities to disclose protected
health information without consent or authorization for public health
purposes. Generally, these disclosures may be made to public health
authorities, as well as to contractors and agents of public health
authorities. However, in recognition of the essential role of drug
and medical device manufacturers and other private persons in carrying
out the Food and Drug Administration's (FDA) public health mission,
the December 2000 Privacy Rule permitted covered entities to make
such disclosures to a person who is subject to the jurisdiction
of the FDA, but only for the following specified purposes: (1) To
report adverse events, defects or problems, or biological product
deviations with respect to products regulated by the FDA (if the
disclosure is made to the person required or directed to report
such information to the FDA); (2) to track products (if the disclosure
is made to the person required or directed to report such information
to the FDA); (3) for product recalls, repairs, or replacement; and
(4) for conducting post-marketing surveillance to comply with FDA
requirements or at the direction of the FDA.
March 2002 NPRM
The Department heard a number of concerns about the scope of the
disclosures permitted for FDA-regulated products and activities
and the failure of the Privacy Rule to reflect the breadth of the
public health activities currently conducted by private sector entities
subject to the jurisdiction of the FDA on a voluntary basis. These
commenters claimed the Rule would constrain important public health
surveillance and reporting activities by impeding the flow of needed
information to those subject to the jurisdiction of the FDA. For
instance, there were concerns that the Rule would have a chilling
effect on current voluntary reporting practices. The FDA gets the
vast majority of information concerning problems with FDA-regulated
products, including drugs, medical devices, biological products,
and food indirectly through voluntary reports made by health care
providers to the manufacturers. These reports are critically important
to public health and safety. The December 2000 Rule permitted such
disclosures only when made to a person "required or directed"
to report the information to the FDA or to track the product. The
manufacturer may or may not be required to report such problems
to the FDA, and the covered entities who make these reports are
not in a position to know whether the recipient of the information
is so obligated. Consequently, many feared that this uncertainty
would cause covered entities to discontinue their practices of voluntary
reporting of adverse events related to FDA-regulated products or
entities.
Some covered entities also expressed fears of the risk of liability
should they inadvertently report the information to a person who
is not subject to the jurisdiction of the FDA or to the wrong manufacturer.
Hence, they urged the Department to provide a "good-faith"
safe harbor to protect covered entities from enforcement actions
arising from unintentional violations of the Privacy Rule.
A number of commenters, including some subject to the jurisdiction
of the FDA, suggested that it is not necessary to disclose identifiable
health information for some or all of these public health purposes,
that identifiable health information is not reported to the FDA,
and that information without direct identifiers (such as name, mailing
address, phone number, social security number, and email address)
is sufficient for post-marketing surveillance purposes.
The Rule is not intended to discourage or prevent adverse event
reporting or otherwise disrupt the flow of essential information
that the FDA and persons subject to the jurisdiction of the FDA
need in order to carry out their important public health activities.
Therefore, the Department proposed some modifications to the Rule
to address these issues in the NPRM. Specifically, the Department
proposed to remove from Secs. 164.512(b)(1)(iii)(A) and (B) the
phrase "if the disclosure is made to a person required or directed
to report such information to the Food and Drug Administration"
and to remove from subparagraph (D) the phrase "to comply with
requirements or at the direction of the Food and Drug Administration."
In lieu of this language, the Department proposed to describe at
the outset the public health purposes for which disclosures may
be made. The proposed language read: "A person subject to the
jurisdiction of the Food and Drug Administration (FDA) with respect
to an FDA-regulated product or activity for which that person has
responsibility, for the purpose of activities related to the quality,
safety or effectiveness of such FDA- regulated product or activity."
The proposal retained the specific activities identified in paragraphs
(A), (B), (C), and (D) as examples of common FDA purposes for which
disclosures would be permitted, but eliminated the language that
would have made this listing the only activities for which such
disclosures would be allowed. These activities include reporting
of adverse events and other product defects, the tracking of FDA-regulated
products, enabling product recalls, repairs, or replacement, and
conducting post-marketing surveillance. Additionally, the Department
proposed to include "lookback" activities in paragraph
(C), which are necessary for tracking blood and plasma products,
as well as quarantining tainted blood or plasma and notifying recipients
of such tainted products.
In addition to these specific changes, the Department solicited
comments on whether a limited data set should be required or permitted
for some or all public health purposes, or if a special rule should
be developed for public health reporting. The Department also requested
comments as to whether the proposed modifications would be sufficient,
or if additional measures, such as a good-faith safe harbor, would
be needed for covered entities to continue to report vital information
concerning FDA-regulated products or activities on a voluntary basis.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The proposed changes received wide support. The overwhelming majority
of commenters urged the Department to adopt the proposed changes,
claiming it would reduce the chilling effect that the Rule would
otherwise have on current voluntary reporting practices, which are
an important means of identifying adverse events, defects, and other
problems regarding FDA-regulated products. Several commenters further
urged the Department to provide a good-faith safe harbor to allay
providers' fears of inadvertently violating the Rule, stating that
covered entities would otherwise be reluctant to risk liability
to make these important public health disclosures.
A few commenters opposed the proposed changes, expressing concern
that the scope of the proposal was too broad. They were particularly
concerned that including activities related to "quality"
or "effectiveness" would create a loophole for manufacturers
to obtain and use protected health information for purposes the
average person would consider unrelated to public health or safety,
such as using information to market products to individuals. Some
of these commenters said the Department should retain the exclusive
list of purposes and activities for which such disclosures may be
made, and some urged the Department to retain the "required
or directed" language, as it creates an essential nexus to
a government authority or requirement. It was also suggested that
the chilling effect on reporting of adverse events could be counteracted
by a more targeted approach. Commenters were also concerned that
the proposal would permit disclosure of much more protected health
information to non-covered entities that are not obligated by the
Rule to protect the privacy of the information. Comments regarding
use of a limited data set for public health disclosures are discussed
in section III.G.1. of the preamble.
Final Modifications
In the final modifications, the Department adopts the language
proposed in the NPRM. Section 164.512(b)(1)(iii), as modified, permits
covered entities to disclose protected health information, without
authorization, to a person subject to the jurisdiction of the FDA
with respect to an FDA-regulated product or activity for which that
person has responsibility, for the purpose of activities related
to the quality, safety, or effectiveness of such FDA-regulated product
or activity. Such purposes include, but are not limited to, the
following activities and purposes listed in subparagraphs (A) through
(D): (1) To collect or report adverse events (or similar activities
regarding food or dietary supplements), product defects or problems
(including problems with the use or labeling of a product), or biological
product deviations, (2) to track FDA-regulated products, (3) to
enable product recalls, repairs, or replacement, or for lookback
(including locating and notifying persons who have received products
that have been withdrawn, recalled, or are the subject of lookback),
and (4) to conduct post-marketing surveillance.
The Department believes these modifications are necessary to remove
barriers that could prevent or chill the continued flow of vital
information between health care providers and manufacturers of food,
drugs, medical and other devices, and biological products. Health
care providers have been making these disclosures to manufacturers
for many years, and commenters opposed to the proposal did not cite
any examples of abuses of information disclosed for such purposes.
Furthermore, both the individuals who are the subjects of the information
and the general public benefit from these disclosures, which are
an important means of identifying and dealing with FDA-regulated
products on the market that potentially pose a health or safety
threat. For example, FDA learns a great deal about the safety of
a drug after it is marketed as a result of voluntary adverse event
reports made by covered entities to the product's manufacturer.
The manufacturer is required to submit these safety reports to FDA,
which uses the information to help make the product safer by, among
other things, adding warnings or changing the product's directions
for use. The modifications provide the necessary assurances to covered
entities that such voluntary reporting may continue.
Although the list of permissible disclosures is no longer exclusive,
the Department disagrees with commenters that asserted the modifications
permit virtually unlimited disclosures for FDA purposes. As modified,
such disclosures must still be made to a person subject to the jurisdiction
of the FDA. The disclosure also must relate to FDA- regulated products
or activities for which the person using or receiving the information
has responsibility, and be made only for activities related to the
safety, effectiveness, or quality of such FDA-regulated product
or activity. These terms are terms of art with commonly accepted
and understood meanings in the FDA context, meanings of which providers
making such reports are aware. This limits the possibility that
FDA-regulated manufacturers and entities will able to abuse this
provision to obtain information to which they would otherwise not
be entitled.
Moreover, Sec. 164.512(b)(1) specifically limits permissible disclosures
to those made for public health activities and purposes. While a
disclosure related to the safety, quality or effectiveness of an
FDA-regulated product is a permissible disclosure, the disclosure
also must be for a "public health" activity or purpose.
For example, it is not permissible under Sec. 164.512(b)(1)(iii)
for a covered entity to disclose protected health information to
a manufacturer to allow the manufacturer to evaluate the effectiveness
of a marketing campaign for a prescription drug. In this example,
although the disclosure may be related to the effectiveness of an
FDA-regulated activity (the advertising of a prescription drug),
the disclosure is made for the commercial purposes of the manufacturer
rather than for a public health purpose.
A disclosure related to a "quality" defect of an FDA-regulated
product is also permitted. For instance, the public health exception
permits a covered entity to contact the manufacturer of a product
to report drug packaging quality defects. However, this section
does not permit all possible reports from a covered entity to a
person subject to FDA jurisdiction about product quality. It would
not be permissible for a provider to furnish a manufacturer with
a list of patients who prefer a different flavored cough syrup over
the flavor of the manufacturer's product. Such a disclosure generally
would not be for a public health purpose. However, a disclosure
related to the flavor of a product would be permitted under this
section if the covered entity believed that a difference in the
product's flavor indicated, for example, a possible manufacturing
problem or suggested that the product had been tampered with in
a way that could affect the product's safety.
The Department clarifies that the types of disclosures that covered
entities are permitted to make to persons subject to FDA jurisdiction
are those of the type that have been traditionally made over the
years. These reports include, but are not limited to, those made
for the purposes identified in paragraphs (A)-(D) of Sec. 164.512(b)(1)(iii)
of this final Rule.
Also, the minimum necessary standard applies to public health disclosures,
including those made to persons subject to the jurisdiction of the
FDA. There are many instances where a report about the quality,
safety, or effectiveness of an FDA-regulated product can be made
without disclosing protected health information. Such may be the
case with many adverse drug events where it is important to know
what happened but it may not be important to know to whom. However,
in other circumstances, such as device tracking or blood lookback,
it is essential for the manufacturer to have identifying patient
information in order to carry out its responsibilities under the
Food, Drug, and Cosmetic Act. Therefore, identifiable health information
can be disclosed for these purposes, consistent with the minimum
necessary standard.
As the Department stated in the preamble of the NPRM, "a person"
subject to the jurisdiction of the FDA does not mean that the disclosure
must be made to a specific individual. The Food, Drug, and Cosmetic
Act defines "person" to include an individual, partnership,
corporation, and association. Therefore, covered entities may continue
to disclose protected health information to the companies subject
to FDA's jurisdiction that have responsibility for the product or
activity. Covered entities may identify responsible companies by
using information obtained from product labels or product labeling
(written material about the product that accompanies the product)
including sources of labeling, such as the Physician's Desk Reference.
The Department believes these modifications effectively balance
the privacy interests of individuals with the interests of public
health and safety. Since the vast majority of commenters were silent
on the question of the potential need for a "good faith"
exception, the Department believes that these modifications will
be sufficient to preserve the current public health activities of
persons subject to the jurisdiction of the FDA, without such a safe
harbor. However, the Department will continue to evaluate the effect
of the Rule to determine whether there is need for further modifications
or guidance.
Response to Other Public Comments
Comment: A few commenters urged the Department to include
foreign public health authorities in the Rule's definition of "public
health authority." These commenters claimed that medical products
are often distributed in multiple countries, and the associated
public health issues are experienced globally. They further claimed
that requiring covered entities to obtain the permission of a United
States-based public health authority before disclosing protected
health information to a foreign government public health authority
will impede important communications.
Response: The Department notes that covered entities are
permitted to disclose protected health information for public health
purposes, at the direction of a public health authority, to an official
of a foreign government agency that is acting in collaboration with
a public health authority. The Department does not have sufficient
information at this time as to any potential impacts or workability
issues that could arise from this language and, therefore, does
not modify the Rule in this regard.
Comment: Some commenters, who opposed the proposal as a
weakening of the Privacy Rule, suggested that the Department implement
a more targeted approach to address only those issues raised in
the preamble to the NPRM, such as voluntary adverse event reporting
activities, rather than broadening the provision generally.
Response: The NPRM was intended to address a number of issues
in addition to the concern that the December 2000 Privacy Rule would
chill reporting of adverse events to entities from whom the FDA
receives much of its adverse event information. For instance, the
text of the December 2000 Privacy Rule did not expressly permit
disclosure of protected health information to FDA-regulated entities
for the purpose of enabling "lookback," which is an activity
performed by the blood and plasma industry to identify and quarantine
blood and blood products that may be at increased risk of transmitting
certain blood-borne diseases, and which includes the notification
of individuals who received possibly tainted products, permitting
them to seek medical attention and counseling. The NPRM also was
intended to simplify the public health reporting provision and to
make it more readily understandable. Finally, the approach proposed
in the NPRM, and adopted in this final Rule, is intended to add
flexibility to the public health reporting provision of the December
2000 Rule, whose exclusive list of permissible disclosures was insufficiently
flexible to assure that Sec. 164.512(b)(1)(iii) will allow legitimate
public health reporting activities that might arise in the future.
In addition, the Department clarifies that the reporting of adverse
events is not restricted to the FDA or persons subject
to the jurisdiction of the FDA. A covered entity may,
under Sec. 164.512(b), disclose protected health information
to a public health authority that is authorized to receive
or collect a report on an adverse event. In addition,
to the extent an adverse event is required to be reported
by law, the disclosure of protected health information
for this purpose is also permitted under Sec. 164.512(a).
For example, a Federally funded researcher who is a
covered health care provider under the Privacy Rule
may disclose protected health information related to
an adverse event to the National Institutes of Health
(NIH) if required to do so by NIH regulations. Even
if not required to do so, the researcher may also disclose
adverse events directly to NIH as a public health authority.
To the extent that NIH has public health matters as
part of its official mandate it qualifies as a public
health authority under the Privacy Rule, and to the
extent it is authorized by law to collect or receive
reports about injury and other adverse events such collection
would qualify as a public health activity.
|
