III. Analysis of, and Responses to, Public Comments on the Proposed Rule
C. Transition to the Final Rule
The proposed rule included definitions for a number of terms that have now already been promulgated as part of the Transactions Rule or the Privacy Rule. Comments related to the definitions of "code set," "health care clearinghouse," "health plan," "health care provider," "small health plan," "standard" and "transaction," are addressed in the Transactions Rule at 65 FR 50319 through 50320. Comments concerning the definition of "individually identifiable health information" are discussed below, but are also addressed in the Privacy Rule at 65 FR 82611 through 82613. In addition, a few terms were redefined in the final Standards for Privacy of Individually Identifiable Health Information (67 FR 53182), issued on August 14, 2002 (Privacy Modifications). Certain terms that were defined in the proposed rule are not used in the final rule because they are no longer necessary. Other terms defined in the proposed rule are defined within the explanation of the standards in the final rule and are discussed in the preamble discussions in § 164.308 through § 164.312.
Definitions of terms relevant to the security standards now appear in the regulations text provisions as indicated below:
§ 160.103: Definitions of the following terms relevant to this rule appear in § 160.103: "business associate," "covered entity," "disclosure," "electronic media," "electronic protected health information," health care," "health care clearinghouse," "health care provider," "health information," "health plan," "individual," "individually identifiable health information," "implementation specification," "organized health care arrangement," "protected health information," "standard," "use," and "workforce." These terms were discussed in connection with the Transaction and Privacy Rules and with the exception of the terms "covered entity", "disclosure" "electronic protected health information", "health information," "individual," "organized health care arrangement," "protected health information," and "use," we will not discuss them in this document. We note that the definition of those terms are not changed in the final rule.
§ 162.103: We have moved the definition of "electronic media" at § 162.103 to § 160.103 and have modified it to clarify that the term includes storage of information. The term "electronic media" is used in the definition of "protected health information." Both the privacy and security standards apply to information "at rest" as well as to information being transmitted.
We note that we have deleted the reference to § 162.103 in paragraph (1)(ii) of the definition of "protected health information," since both definitions, "electronic media" and "protected health information," have been moved to this section. Also, it is unnecessary, because the definitions of § 160.103 apply to all of the rule in parts 160, 162, and 164.
We have also clarified that the physical movement of electronic media from place to place is not limited to magnetic tape, disk, or compact disk. This clarification removes a restriction as to what is considered to be physical electronic media, thereby allowing for future technological innovation. We further clarified that transmission of information not in electronic form before the transmission, for example, paper or voice, is not covered by this definition.
§ 164.103: The following term "plan sponsor" now appears in the new § 164.103, which consists of definitions of terms common to both subpart C and subpart E (the privacy standards). This definition was moved, without substantive change, from § 164.501 and has the meaning given to it in that section, and comments relating to this definitions are discussed in connection with that section in the Privacy Rule at 65 FR 82607, 82611 through 82613, 82618 through 82622, and 82629.
§ 164.304: Definitions specifically applicable to the Security Rule appear in § 164.304, and these are discussed below. These definitions are from, or derived from, currently accepted definitions in industry publications, such as, the International Organization for Standards (ISO) 7498-2 and the American Society for Testing and Materials (ASTM) E1762-95.
The following terms in § 164.304 are taken from the proposed rule text or the glossary in Addendum 2
of the proposed rule (63 FR 43271), were not commented on, and/or are unchanged or have only minor technical changes for purposes of clarification and are not discussed below:
"access," "authentication," "availability," confidentiality," "encryption," "password," and "security."
§ 164.314: Four terms were defined in § 164.504(a) of the Privacy Rule ("common control," "common ownership," "health care component," and "hybrid entity"). Because these terms apply to both security and privacy, their definitions have been moved to § 164.103 without change. Those terms are discussed in the Privacy Rule at 65 FR 82502 through 82503 and at 67 FR 53203 through 53207.
1. Covered Entity (§ 160.103)
Comment: One commenter asked if transcription services were covered entities. The question arose because transcription is often the first electronic or printed source of clinical information. Concern was expressed about the application of physical safeguard standards to the transcribers working for transcription companies or health care providers, either as employees or as independent contractors.
Another commenter expressed concern that scalability was limited to only small providers. The commenter explained that Third Party Administrators (TPAs) allow claim processors to work at home. Some TPAs have noted that it would be impossible to comply with the security standards for home-based claims processors.
Response: A covered entity's responsibility to implement security standards extends to the members of its workforce, whether they work at home or on-site. Because a covered entity is responsible for ensuring the security of the information in its care, the covered entity must include "at home" functions in its security process. While an independent transcription company or a TPA may not be covered entities, they will be a business associate of the covered entity because their activities fall under paragraph (1)(i)(a) of the definition of that term. For business associate provisions see proposed preamble section III.E.8. and § 164.308(b)(1) and § 164.314(c) of this final rule.
2. Health Care and Medical Care (§ 160.103)
Comment: One commenter asked whether "medical care," which is defined in the proposed rule, and "health care," which is not, are synonymous.
Response: The term "medical care," as used in the proposed rule (63 FR 43242), was intended to be synonymous with "health care." The term "medical care" is not included in this final rule. It is, however, included in the definition of "health plan," where its meaning is not synonymous with "health care." For a full discussion of this issue and its resolution, see the Privacy Rule (65 FR 82578).
3. Health Information and Individually Identifiable Health Information (§ 160.103)
We note that the definitions of "health information" and "individually identifiable health information" remain unchanged from those published in the Transactions and Privacy Rules.
a. Comment: A number of commenters asked that the definition of "health information" be expanded to include information collected by additional entities. Several commenters wanted the definition to include health information collected, maintained, or transmitted by any entity, and one commenter suggested the inclusion of aggregated information not identifiable to an individual. Several commenters asked that eligibility information be excluded from the definition of health information. Several commenters wanted the definition broadened to include demographics.
Response: Our definition of health information is taken from the definition in section 1171(4) of the Act, which provides that health information relates to the health or condition of an individual, the provision of health care to an individual, or payment for the provision of health care to an individual. The statutory definition also specifies the entities by which health information is created or received. We note that, because "individually identifiable health information" is a subset of "health information" and by statute includes demographic information, "health information" necessarily includes demographic information. We think this is clear as a matter of statutory construction and does not require further regulatory change.
b. Comment: Several commenters asked that we clarify the difference between "health information" and "individually identifiable" and "health information pertaining to an individual" as used in the August 12, 1998 proposed rule (63 FR 43242). Additionally, commenters asked that we be more consistent in the use of these terms and recommended use of the term "individually identifiable health information."
Two commenters stated that it is important to distinguish between "health information pertaining to an individual" and "individually identifiable health information," as in reporting statistics at various levels there will always be a need to bring forth information pertaining to an individual.
One commenter recommended that the standards apply only to individually identifiable health information. Another stated that in § 142.306(b) of the proposed rule, "health information pertaining to an individual" should be changed to "individually identifiable health information," as nonidentifiable information can be used for utilization review and other purposes. As written, the regulation text could limit the ability to use data, for example, from a clearinghouse for compliance monitoring.
Response: In general, we agree with these commenters, and note that these comments are largely mooted by the decision, reflected in § 164.306 below and discussed in section III.D.1. of this final rule, to cover only electronic protected health information in this final rule.
c. Comment: Several commenters stated that the definition of "individually identifiable health information" is not in the regulations and should be added.
Response: We note that the definition of "individually identifiable health information" appears at § 160.103, which applies to this final rule.
4. Protected Health Information (§ 160.103)
This term is moved from § 164.501 to § 160.103 because it applies to both subparts C (security) and E (privacy). See 67 FR 53192 through 531936 regarding the definition of "protected health information."
Also, the term "electronic media" is included in paragraphs (1)(i) and (ii) of the definition of "protected health information," as specified in this section.
In addition, we added the definitions of "covered functions," "plan sponsor," and "Required by law" to § 164.103.
5. Breach (§ 164.304)
Comment: One commenter asked that "breach" be defined.
Response: The term "breach" has been deleted and therefore not defined. Instead, we define the term "security incident," which better describes the types of situations we were referring to as breaches.
6. Facility (§ 164.304)
This new term has been added as a result of changing the name of the "physical access control" standard to "facility access control." This change was made based on comments indicating that the original term was not descriptive. We have defined the term "facility" as the physical premises and interior and exterior of a building.
7. Security Incident (§ 164.304)
Comment: We received comments asking that this term be defined.
Response: This final rule defines "Security incident" in § 164.304 as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."
8. System (§ 164.304)
Comment: One commenter asked that "system" be defined.
Response: This final rule defines "system," in the context of an information system, in § 164.304 as "an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people."
9. Workstation (§ 164.304)
Comment: One commenter expressed concern that the use of the term "workstation" implied limited applicability to fixed devices (such as terminals), excluding laptops and other portable devices.
Response: We have added a definition of the term "workstation" to clarify that portable devices are also included. This final rule defines workstation as "an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment."
10. Definitions Not Adopted
Several definitions in the proposed regulations text and glossary are not adopted as definitions in the final rule: "participant," "contingency plan," "risk," "role-based access control," and "user-based access control." The terms "participant," "role-based access control," and "user-based access control" are not used in this final rule and thus are not defined. "Risk" is not defined as its meaning is generally understood. While we do not define the term, we address "contingency plan" as a standard in § 164.308(a)(7) below.
a. Comment: We received comments requesting that we define the following terms: "token" and "documentation."
Response: These terms were defined in Addendum 2 of the proposed rule. In this final rule, we do not adopt a definition for "token" because it is not used in the final rule. "Documentation" is discussed in § 164.316 below.
b. Comment: We received several comments that "small" and "rural" should be defined as those terms apply to providers. We received an equal number of comments stating that there is no need to define these terms. One commenter stated that definitions for these terms would be necessary only if special exemptions existed for small and rural providers. Several commenters suggested initiation of a study to determine limitations and potential barriers small and rural providers will have in implementing these regulations.
Response: The statute requires that we address the needs of small and rural providers. We believe that we have done this through the provisions, which require the risk assessment and the response to be assessment based on the needs and capabilities of the entity. This scalability concept takes the needs of those providers into account and eliminates any need to define those terms.
c. Comment: In the proposed rule, we proposed the following definition for the term "Access control": "A method of restricting access to resources, allowing only privileged entities access. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation." One commenter believed the proposed definition is too restrictive and requested revision of the definition to read: "Access control refers to a method of restricting access to resources, allowing access to only those entities which have been specifically granted the desired access rights." Another commenter wanted the definition expanded to include partitioned rule-based access control (PRBAC).
Response: We agree with the commenter who suggested that the definition as proposed seemed too restrictive. In this case, as in many others, a number of commenters believed the examples given in the proposed rule provided the only acceptable compliance actions. As previously noted, in order to clarify that the examples listed were not to be considered all-inclusive, we have generalized the proposed requirements in this final rule. In this case, we have also generalized the requirements and placed the substantive provisions governing access control at § 164.308(a)(4), § 164.310(a)(1), and § 164.312(a)(1).
With respect to PRBAC, the access control standard does not exclude this control, and entities should adopt it if appropriate to their circumstances.