Standards
for Privacy of Individually Identifiable Health Information
III. Section-by-Section
Description of Final Modifications and
Response to Comments
2. Health Care Operations: Changes of Legal Ownership
December 2000 Privacy Rule
The Rule's definition of "health care operations" included
the disclosure of protected health information for the purposes
of due diligence with respect to the contemplated sale or transfer
of all or part of a covered entity's assets to a potential successor
in interest who is a covered entity, or would become a covered entity
as a result of the transaction.The Department indicated in the December
2000 preamble of the Privacy Rule its intent to include in the definition
of health care operations the actual transfer of protected health
information to a successor in interest upon a sale or transfer of
its assets. (65 FR 82609.) However, the regulation itself did not
expressly provide for the transfer of protected health information
upon the sale or transfer of assets to a successor in interest.
Instead, the definition of "health care operations" included
uses or disclosures of protected health information only for due
diligence purposes when a sale or transfer to a successor in interest
is contemplated.
March 2002 NPRM
A number of entities expressed concern about the discrepancy between
the intent as expressed in the preamble to the December 2000 Privacy
Rule and the actual regulatory language. To address these concerns,
the Department proposed to add language to paragraph (6) of the
definition of "health care operations" to clarify its
intent to permit the transfer of records to a covered entity upon
a sale, transfer, merger, or consolidation. This proposed change
would prevent the Privacy Rule from interfering with necessary treatment
or payment activities upon the sale of a covered entity or its assets.
The Department also proposed to use the terms "sale, transfer,
consolidation or merger" and to eliminate the term "successor
in interest" from this paragraph. The Department intended this
provision to apply to any sale, transfer, merger or consolidation
and believed the current language may not accomplish this goal.
The Department proposed to retain the limitation that such disclosures
are health care operations only to the extent the entity receiving
the protected health information is a covered entity or would become
a covered entity as a result of the transaction. The Department
clarified that the proposed modification would not affect a covered
entity's other legal or ethical obligation to notify individuals
of a sale, transfer, merger, or consolidation.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."Numerous commenters supported the
proposed modifications. Generally, these commenters claimed the
modifications would prevent inconvenience to consumers, and facilitate
timely access to health care. Specifically, these commenters indicated
that health care would be delayed and consumers would be inconvenienced
if covered entities
were required to obtain individual consent or authorization before
they could access health records that are newly acquired assets
resulting from the sale, transfer, merger, or consolidation of all
or part of a covered entity. Commenters further claimed that the
administrative burden of acquiring individual permission and culling
records of consumers who do not give consent would be too great,
and would cause some entities to simply store or destroy the records
instead. Consequently, health information would be inaccessible,
causing consumers to be inconvenienced and health care to be delayed.
Some
commenters noted that the proposed modifications recognize the realities
of business without compromising the availability or quality of
health care or diminishing privacy protections one would expect
in the handling of protected health information during the course
of such business transactions.
Opposition to the proposed modifications was limited, with commenters
generally asserting that the transfer of records in such circumstances
would not be in the best interests of individuals.
Final Modifications. The Department agrees with the commenters
that supported the proposed modifications and, therefore, adopts
the modifications to the definition of health care operations. Thus,
"health care operations" includes the sale, transfer,
merger, or consolidation of all or part of the covered entity to
or with another covered entity, or an entity that will become a
covered entity as a result of the transaction, as well as the due
diligence activities in connection with such transaction. In response
to a comment, the final Rule modifies the phrase "all or part
of a covered entity" to read "all or part of the covered
entity" to clarify that any disclosure for such activity must
be by the covered entity that is a party to the transaction.
Under the final definition of "health care operations,"
a covered entity may use or disclose protected health information
in connection with a sale or transfer of assets to, or a consolidation
or merger with, an entity that is or will be a covered entity upon
completion of the transaction; and to conduct due diligence in connection
with such transaction. The modification makes clear it is also a
health care operation to transfer records containing protected health
information as part of the transaction. For example, if a pharmacy
which is a covered entity buys another pharmacy which is also a
covered entity,
protected health information can be exchanged between the two entities
for purposes of conducting due diligence, and the selling entity
may transfer any records containing protected health information
to the new owner upon completion of the transaction. The new owner
may then immediately use and disclose those records to provide health
care services to the individuals, as well as for payment and health
care operations purposes. Since the information would continue to
be protected by the Privacy Rule, any other use or disclosure of
the information would require an authorization unless otherwise
permitted without authorization by the Rule, and the new owner would
be obligated to observe the individual's rights of access, amendment,
and accounting. The Privacy Rule would not interfere with other
legal or ethical obligations of an entity that may arise out of
the nature of its business or relationship with its customers or
patients to provide such persons with notice of the transaction
or an opportunity to agree to the transfer of records containing
personal information to the new owner.
Response to Other Public Comments
Comment: One commenter was concerned about what obligations
the parties to a transaction have regarding protected health information
that was exchanged as part of a transaction if the transaction does
not go through.
Response: The Department believes that other laws and standard
business practices are adequate to address these situations
and accordingly does not impose additional requirements
of this type. It is standard practice for parties contemplating
such transactions to enter into confidentiality agreements.
In addition to exchanging protected health information,
the parties to such transactions commonly exchange confidential
proprietary information. It is a standard practice for
the parties to these transaction to agree that the handling
of all confidential information, such as proprietary
information, will include
ensuring that, in the event that the proposed transaction
is not consummated, the information is either returned
to its original owner or destroyed as appropriate. They
may include protected health information in any such
agreement, as they determine appropriate to the circumstances
and applicable law.
|
