Standards for Privacy of Individually Identifiable Health Information
This action corrects the effective date of the final rules adopting standards for privacy of individually identifiable health information published on December 28, 2000, in the Federal Register(65 FR 82462), resulting in a new effective date of April 14, 2001. The change in the effective date delays, by operation of law, the compliance dates published in the final rules. The compliance dates in the final rules are revised accordingly.
For further information contact:
Kimberly Coleman, 1-866-OCR-PRIV (1-866-627-7748) or TTY 1-866-788-4989.
On December 28, 2000, we published in the Federal Register final rules adopting standards for the privacy of individually identifiable health information (Privacy Rule). The Privacy Rule is the second in a series of rules mandated by sections 261-264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. In general, the Privacy Rule establishes in 45 CFR Part 160 a set of definitions applicable to the entire set of HIPAA rules, requirements for requesting that a state law be excepted from preemption by the statute, and compliance and enforcement requirements. The Privacy Rule also establishes a new Subpart E of Part 164. Subpart E establishes standards which entities covered by the statute—health plans, health care clearinghouses, and certain health care providers—are required to comply with to protect the privacy of certain individually identifiable health information (“protected health information”). The standards establish requirements relating to the uses and disclosures of protected health information, the rights of individuals with respect to their protected health information, and the procedures for exercising those rights.
We have determined that the report to the Congress required by 5 U.S.C. 801(a)(1) was not received, as previously thought, concurrent with the transmission of the Rule to the Federal Register. The required report was received by the Congress on February 13, 2001. Under 5 U.S.C. 801(a)(3)(A), the effective date of a major rule is, as pertinent here, “the later of the date occurring 60 days after the date on which * * * the Congress receives the [required] report * * *, or * * * the rule is published in the Federal Register* * *”. Thus, the published effective date, which was 60 days following the date of publication of the Rule in the Federal Register, is erroneous; rather, under 5 U.S.C. 801(a)(3)(A), the actual effective date of the Privacy Rule is 60 days after the receipt by the Congress of the final rule, or April 14. This final rule corrects the previously published effective date of the Privacy Rule accordingly.
Because the correction of the effective date is required by law, we find good cause under 5 U.S.C. 553(b)(3)(B) and 553(d)(3) to waive public comment thereon and to make the correction effective immediately upon publication today in the Federal Register.
Under section 1175 of the Social Security Act, 42 U.S.C. 1320d-4, enacted by section 262 of HIPAA, most covered entities have two years following initial adoption of a HIPAA standard to come into compliance with the standard; small health plans have three years. Since a HIPAA standard is adopted when the rule adopting it becomes effective, the change in effective date, by operation of law, has the effect of moving the statutory compliance dates forward by a commensurate period. As the compliance dates are part of the text of the Privacy Rule (45 CFR 164.534), they are being amended to reflect the change in the effective date.
This amendment is technical in nature and is required by statute, in light of the change of the effective date of the Privacy Rule. Consequently, we find that good causer under 5 U.S.C. 553(b)(3)(B) exists for waiving prior public comment on the revision to § 164.534.
List of subjects
Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Medicaid, Medical research, Medicare, Privacy, Reporting and record keeping requirements.
Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Medicaid, Medical research, Medicare, Privacy, Reporting and record keeping requirements.Dated: February 22, 2001. Tommy G. Thompson, Secretary. For the reasons set forth in the preamble, § 164.534 of title 45, Code of Federal Regulations, is amended as follows: 1. The authority citation for Subpart E of 45 Code of Federal Regulations Part 164 is revised to read as follows:
Authority:2. Section 164.534 of Subpart E of 45 Code of Federal Regulations Part 164 is revised to read as follows: § 164.534
(a)Health care providers. A covered health care provider must comply with the applicable requirements of this subpart no later than April 14, 2003.
(b)Health plans. A health plan must comply with the applicable requirements of this subpart no later than the following as applicable:
(1)Health plans other han small health plans. April 14, 2003.
(2)Small health plans. April 14, 2004.
(c)Health clearinghouses. A health care clearinghouse must comply with the applicable requirements of this subpart no later than April 14, 2003.