F. Section 164.512--Uses and Disclosures for Which Authorization or Opportunity To Agree or Object Is Not Required
1. Uses and Disclosures Regarding FDA-Regulated Products and Activities
December 2000 Privacy Rule
The Privacy Rule permits covered entities to disclose protected health information without consent or authorization for public health purposes. Generally, these disclosures may be made to public health authorities, as well as to contractors and agents of public health authorities. However, in recognition of the essential role of drug and medical device manufacturers and other private persons in carrying out the Food and Drug Administration's (FDA) public health mission, the December 2000 Privacy Rule permitted covered entities to make such disclosures to a person who is subject to the jurisdiction of the FDA, but only for the following specified purposes: (1) To report adverse events, defects or problems, or biological product deviations with respect to products regulated by the FDA (if the disclosure is made to the person required or directed to report such information to the FDA); (2) to track products (if the disclosure is made to the person required or directed to report such information to the FDA); (3) for product recalls, repairs, or replacement; and (4) for conducting post-marketing surveillance to comply with FDA requirements or at the direction of the FDA.
March 2002 NPRM
The Department heard a number of concerns about the scope of the disclosures permitted for FDA-regulated products and activities and the failure of the Privacy Rule to reflect the breadth of the public health activities currently conducted by private sector entities subject to the jurisdiction of the FDA on a voluntary basis. These commenters claimed the Rule would constrain important public health surveillance and reporting activities by impeding the flow of needed information to those subject to the jurisdiction of the FDA. For instance, there were concerns that the Rule would have a chilling effect on current voluntary reporting practices. The FDA gets the vast majority of information concerning problems with FDA-regulated products, including drugs, medical devices, biological products, and food indirectly through voluntary reports made by health care providers to the manufacturers. These reports are critically important to public health and safety. The December 2000 Rule permitted such disclosures only when made to a person "required or directed" to report the information to the FDA or to track the product. The manufacturer may or may not be required to report such problems to the FDA, and the covered entities who make these reports are not in a position to know whether the recipient of the information is so obligated. Consequently, many feared that this uncertainty would cause covered entities to discontinue their practices of voluntary reporting of adverse events related to FDA-regulated products or entities.
Some covered entities also expressed fears of the risk of liability should they inadvertently report the information to a person who is not subject to the jurisdiction of the FDA or to the wrong manufacturer. Hence, they urged the Department to provide a "good-faith" safe harbor to protect covered entities from enforcement actions arising from unintentional violations of the Privacy Rule.
A number of commenters, including some subject to the jurisdiction of the FDA, suggested that it is not necessary to disclose identifiable health information for some or all of these public health purposes, that identifiable health information is not reported to the FDA, and that information without direct identifiers (such as name, mailing address, phone number, social security number, and email address) is sufficient for post-marketing surveillance purposes.
The Rule is not intended to discourage or prevent adverse event reporting or otherwise disrupt the flow of essential information that the FDA and persons subject to the jurisdiction of the FDA need in order to carry out their important public health activities. Therefore, the Department proposed some modifications to the Rule to address these issues in the NPRM. Specifically, the Department proposed to remove from Secs. 164.512(b)(1)(iii)(A) and (B) the phrase "if the disclosure is made to a person required or directed to report such information to the Food and Drug Administration" and to remove from subparagraph (D) the phrase "to comply with requirements or at the direction of the Food and Drug Administration." In lieu of this language, the Department proposed to describe at the outset the public health purposes for which disclosures may be made. The proposed language read: "A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA- regulated product or activity."
The proposal retained the specific activities identified in paragraphs (A), (B), (C), and (D) as examples of common FDA purposes for which disclosures would be permitted, but eliminated the language that would have made this listing the only activities for which such disclosures would be allowed. These activities include reporting of adverse events and other product defects, the tracking of FDA-regulated products, enabling product recalls, repairs, or replacement, and conducting post-marketing surveillance. Additionally, the Department proposed to include "lookback" activities in paragraph (C), which are necessary for tracking blood and plasma products, as well as quarantining tainted blood or plasma and notifying recipients of such tainted products.
In addition to these specific changes, the Department solicited comments on whether a limited data set should be required or permitted for some or all public health purposes, or if a special rule should be developed for public health reporting. The Department also requested comments as to whether the proposed modifications would be sufficient, or if additional measures, such as a good-faith safe harbor, would be needed for covered entities to continue to report vital information concerning FDA-regulated products or activities on a voluntary basis.
Overview of Public Comments
The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, "Response to Other Public Comments."
The proposed changes received wide support. The overwhelming majority of commenters urged the Department to adopt the proposed changes, claiming it would reduce the chilling effect that the Rule would otherwise have on current voluntary reporting practices, which are an important means of identifying adverse events, defects, and other problems regarding FDA-regulated products. Several commenters further urged the Department to provide a good-faith safe harbor to allay providers' fears of inadvertently violating the Rule, stating that covered entities would otherwise be reluctant to risk liability to make these important public health disclosures.
A few commenters opposed the proposed changes, expressing concern that the scope of the proposal was too broad. They were particularly concerned that including activities related to "quality" or "effectiveness" would create a loophole for manufacturers to obtain and use protected health information for purposes the average person would consider unrelated to public health or safety, such as using information to market products to individuals. Some of these commenters said the Department should retain the exclusive list of purposes and activities for which such disclosures may be made, and some urged the Department to retain the "required or directed" language, as it creates an essential nexus to a government authority or requirement. It was also suggested that the chilling effect on reporting of adverse events could be counteracted by a more targeted approach. Commenters were also concerned that the proposal would permit disclosure of much more protected health information to non-covered entities that are not obligated by the Rule to protect the privacy of the information. Comments regarding use of a limited data set for public health disclosures are discussed in section III.G.1. of the preamble.
In the final modifications, the Department adopts the language proposed in the NPRM. Section 164.512(b)(1)(iii), as modified, permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity. Such purposes include, but are not limited to, the following activities and purposes listed in subparagraphs (A) through (D): (1) To collect or report adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, (2) to track FDA-regulated products, (3) to enable product recalls, repairs, or replacement, or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are the subject of lookback), and (4) to conduct post-marketing surveillance.
The Department believes these modifications are necessary to remove barriers that could prevent or chill the continued flow of vital information between health care providers and manufacturers of food, drugs, medical and other devices, and biological products. Health care providers have been making these disclosures to manufacturers for many years, and commenters opposed to the proposal did not cite any examples of abuses of information disclosed for such purposes. Furthermore, both the individuals who are the subjects of the information and the general public benefit from these disclosures, which are an important means of identifying and dealing with FDA-regulated products on the market that potentially pose a health or safety threat. For example, FDA learns a great deal about the safety of a drug after it is marketed as a result of voluntary adverse event reports made by covered entities to the product's manufacturer. The manufacturer is required to submit these safety reports to FDA, which uses the information to help make the product safer by, among other things, adding warnings or changing the product's directions for use. The modifications provide the necessary assurances to covered entities that such voluntary reporting may continue.
Although the list of permissible disclosures is no longer exclusive, the Department disagrees with commenters that asserted the modifications permit virtually unlimited disclosures for FDA purposes. As modified, such disclosures must still be made to a person subject to the jurisdiction of the FDA. The disclosure also must relate to FDA- regulated products or activities for which the person using or receiving the information has responsibility, and be made only for activities related to the safety, effectiveness, or quality of such FDA-regulated product or activity. These terms are terms of art with commonly accepted and understood meanings in the FDA context, meanings of which providers making such reports are aware. This limits the possibility that FDA-regulated manufacturers and entities will able to abuse this provision to obtain information to which they would otherwise not be entitled.
Moreover, Sec. 164.512(b)(1) specifically limits permissible disclosures to those made for public health activities and purposes. While a disclosure related to the safety, quality or effectiveness of an FDA-regulated product is a permissible disclosure, the disclosure also must be for a "public health" activity or purpose. For example, it is not permissible under Sec. 164.512(b)(1)(iii) for a covered entity to disclose protected health information to a manufacturer to allow the manufacturer to evaluate the effectiveness of a marketing campaign for a prescription drug. In this example, although the disclosure may be related to the effectiveness of an FDA-regulated activity (the advertising of a prescription drug), the disclosure is made for the commercial purposes of the manufacturer rather than for a public health purpose.
A disclosure related to a "quality" defect of an FDA-regulated product is also permitted. For instance, the public health exception permits a covered entity to contact the manufacturer of a product to report drug packaging quality defects. However, this section does not permit all possible reports from a covered entity to a person subject to FDA jurisdiction about product quality. It would not be permissible for a provider to furnish a manufacturer with a list of patients who prefer a different flavored cough syrup over the flavor of the manufacturer's product. Such a disclosure generally would not be for a public health purpose. However, a disclosure related to the flavor of a product would be permitted under this section if the covered entity believed that a difference in the product's flavor indicated, for example, a possible manufacturing problem or suggested that the product had been tampered with in a way that could affect the product's safety.
The Department clarifies that the types of disclosures that covered entities are permitted to make to persons subject to FDA jurisdiction are those of the type that have been traditionally made over the years. These reports include, but are not limited to, those made for the purposes identified in paragraphs (A)-(D) of Sec. 164.512(b)(1)(iii) of this final Rule.
Also, the minimum necessary standard applies to public health disclosures, including those made to persons subject to the jurisdiction of the FDA. There are many instances where a report about the quality, safety, or effectiveness of an FDA-regulated product can be made without disclosing protected health information. Such may be the case with many adverse drug events where it is important to know what happened but it may not be important to know to whom. However, in other circumstances, such as device tracking or blood lookback, it is essential for the manufacturer to have identifying patient information in order to carry out its responsibilities under the Food, Drug, and Cosmetic Act. Therefore, identifiable health information can be disclosed for these purposes, consistent with the minimum necessary standard.
As the Department stated in the preamble of the NPRM, "a person" subject to the jurisdiction of the FDA does not mean that the disclosure must be made to a specific individual. The Food, Drug, and Cosmetic Act defines "person" to include an individual, partnership, corporation, and association. Therefore, covered entities may continue to disclose protected health information to the companies subject to FDA's jurisdiction that have responsibility for the product or activity. Covered entities may identify responsible companies by using information obtained from product labels or product labeling (written material about the product that accompanies the product) including sources of labeling, such as the Physician's Desk Reference.
The Department believes these modifications effectively balance the privacy interests of individuals with the interests of public health and safety. Since the vast majority of commenters were silent on the question of the potential need for a "good faith" exception, the Department believes that these modifications will be sufficient to preserve the current public health activities of persons subject to the jurisdiction of the FDA, without such a safe harbor. However, the Department will continue to evaluate the effect of the Rule to determine whether there is need for further modifications or guidance.
Response to Other Public Comments
Comment: A few commenters urged the Department to include foreign public health authorities in the Rule's definition of "public health authority." These commenters claimed that medical products are often distributed in multiple countries, and the associated public health issues are experienced globally. They further claimed that requiring covered entities to obtain the permission of a United States-based public health authority before disclosing protected health information to a foreign government public health authority will impede important communications.
Response: The Department notes that covered entities are permitted to disclose protected health information for public health purposes, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. The Department does not have sufficient information at this time as to any potential impacts or workability issues that could arise from this language and, therefore, does not modify the Rule in this regard.
Comment: Some commenters, who opposed the proposal as a weakening of the Privacy Rule, suggested that the Department implement a more targeted approach to address only those issues raised in the preamble to the NPRM, such as voluntary adverse event reporting activities, rather than broadening the provision generally.
Response: The NPRM was intended to address a number of issues in addition to the concern that the December 2000 Privacy Rule would chill reporting of adverse events to entities from whom the FDA receives much of its adverse event information. For instance, the text of the December 2000 Privacy Rule did not expressly permit disclosure of protected health information to FDA-regulated entities for the purpose of enabling "lookback," which is an activity performed by the blood and plasma industry to identify and quarantine blood and blood products that may be at increased risk of transmitting certain blood-borne diseases, and which includes the notification of individuals who received possibly tainted products, permitting them to seek medical attention and counseling. The NPRM also was intended to simplify the public health reporting provision and to make it more readily understandable. Finally, the approach proposed in the NPRM, and adopted in this final Rule, is intended to add flexibility to the public health reporting provision of the December 2000 Rule, whose exclusive list of permissible disclosures was insufficiently flexible to assure that Sec. 164.512(b)(1)(iii) will allow legitimate public health reporting activities that might arise in the future.
In addition, the Department clarifies that the reporting of adverse events is not restricted to the FDA or persons subject to the jurisdiction of the FDA. A covered entity may, under Sec. 164.512(b), disclose protected health information to a public health authority that is authorized to receive or collect a report on an adverse event. In addition, to the extent an adverse event is required to be reported by law, the disclosure of protected health information for this purpose is also permitted under Sec. 164.512(a). For example, a Federally funded researcher who is a covered health care provider under the Privacy Rule may disclose protected health information related to an adverse event to the National Institutes of Health (NIH) if required to do so by NIH regulations. Even if not required to do so, the researcher may also disclose adverse events directly to NIH as a public health authority. To the extent that NIH has public health matters as part of its official mandate it qualifies as a public health authority under the Privacy Rule, and to the extent it is authorized by law to collect or receive reports about injury and other adverse events such collection would qualify as a public health activity.