HIPAA Privacy Regulations: Definitions: Health Oversight Agency - § 164.501

As Contained in the HHS HIPAA Privacy Rules

HHS Regulations
Definitions: Health Oversight Agency - § 164.501

Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

HHS Description
Definitions: Health Oversight Agency

The proposed rule would have defined “health oversight agency” as “an agency, person, or entity, including the employees or agents thereof, (1) That is: (i) A public agency; or (ii) A person or entity acting under grant of authority from or contract with a public agency; and (2) Which performs or oversees the performance of any audit; investigation; inspection; licensure or discipline; civil, criminal, or administrative proceeding or action; or other activity necessary for appropriate oversight of the health care system, of government benefit programs for which health information is relevant to beneficiary eligibility, or of government regulatory programs for which health information is necessary for determining compliance with program standards.” The proposed rule also described the functions of health oversight agencies in the proposed health oversight section (§ 164.510(c)) by repeating much of this definition.

In the final rule, we modify the definition of health oversight agency by eliminating from the definition the language in proposed § 164.510(c) (now § 164.512(d)). In addition, the final rule clarifies this definition by specifying that a “health oversight agency” is an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or grantees, that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

The preamble to the proposed rule listed the following as examples of health oversight agencies that conduct oversight activities relating to the health care system: state insurance commissions, state health professional licensure agencies, Offices of Inspectors General of federal agencies, the Department of Justice, state Medicaid fraud control units, Defense Criminal Investigative Services, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights, and the FDA. The proposed rule listed the Social Security Administration and the Department of Education as examples of health oversight agencies that conduct oversight of government benefit programs for which health information is relevant to beneficiary eligibility. The proposed rule listed the Occupational Health and Safety Administration and the Environmental Protection Agency as examples of oversight agencies that conduct oversight of government regulatory programs for which health information is necessary for determining compliance with program standards.

In the final rule, we include the following as additional examples of health oversight activities: (1) The U.S. Department of Justice's civil rights enforcement activities, and in particular, enforcement of the Civil Rights of Institutionalized Persons Act (42 U.S.C. 1997-1997j) and the Americans with Disabilities Act (42 U.S.C. 12101 et seq.), as well as the EEOC's civil rights enforcement activities under titles I and V of the ADA; (2) the FDA's oversight of food, drugs, biologics, devices, and other products pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.) and the Public Health Service Act (42 U.S.C. 201 et seq.); and (3) data analysis - performed by a public agency or by a person or entity acting under grant of authority from or under contract with a public agency - to detect health care fraud.

“Overseeing the health care system,” which is included in the definition of health oversight, encompasses activities such as: oversight of health care plans; oversight of health benefit plans; oversight of health care providers; oversight of health care and health care delivery; oversight activities that involve resolution of consumer complaints; oversight of pharmaceuticals, medical products and devices, and dietary supplements; and a health oversight agency's analysis of trends in health care costs, quality, health care delivery, access to care, and health insurance coverage for health oversight purposes.

We recognize that health oversight agencies, such as the U.S. Department of Labor's Pension and Welfare Benefits Administration, may perform more than one type of health oversight. For example, agencies may sometimes perform audits and investigations and at other times conduct general oversight of health benefit plans. Such entities are considered health oversight agencies under the rule for any and all of the health oversight functions that they perform.

The definition of health oversight agency does not include private organizations, such as private-sector accrediting groups. Accreditation organizations are performing health care operations functions on behalf of health plans and covered health care providers. Accordingly, in order to obtain protected health information without individuals' authorizations, accrediting groups must enter into business associate agreements with health plans and covered health care providers for these purposes. Similarly, private entities, such as coding committees, that help government agencies that are health plans make coding and payment decisions are performing health care payment functions on behalf the government agencies and, therefore, must enter into business associate agreements in order to receive protected health information from the covered entity (absent individuals' authorization for such disclosure).

HHS Response to Comments Received
Definitions: Health Oversight Agency

Comment: Some commenters sought to have specific organizations defined as health oversight agencies. For example, some commenters asked that the regulation text, rather than the preamble, explicitly list state insurance departments as an example of health oversight agencies. Medical device manufacturers recommended expanding the definition to include government contractors such as coding committees, which provide data to HCFA to help the agency make reimbursement decisions.

One federal agency sought clarification that several of its sub-agencies were oversight agencies; it was concerned about its status in part because the agency fits into more than one of the categories of health oversight agency listed in the proposed rule.

Other commenters recommended expanding the definition of oversight agency to include private-sector accreditation organizations. One commenter recommended stating in the final rule that private companies providing information to insurers and employers are not included in the definition of health oversight agency.

Response: Because the range of health oversight agencies is so broad, we do not include specific examples in the definition. We include many examples in the preamble above and provide further clarity here.

As under the NPRM, state insurance departments are an example of a health oversight agency. A commenter concerned about state trauma registries did not describe the registries' activities or legal charters, so we cannot clarify whether such registries may be health oversight agencies. Government contractors such as coding committees, which provide data to HCFA to support payment processes, are not thereby health oversight agencies under this rule. We clarify that public agencies may fit into more than one category of health oversight agency.

The definition of health oversight agency does not include private-sector accreditation organizations. While their work can promote quality in the health care delivery system, private accreditation organizations are not authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Under the final rule, we consider private accrediting groups to be performing a health care operations function for covered entities. Thus, disclosures to private accrediting organizations are disclosures for health care operations, not for oversight purposes.

When they are performing accreditation activities for a covered entity, private accrediting organizations will meet the definition of business associate, and the covered entity must enter into a business associate contract with the accrediting organization in order to disclose protected health information. This is consistent with current practice; today, accrediting organizations perform their work pursuant to contracts with the accredited entity. This approach is also consistent with the recommendation by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance, which stated in their report titled Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment (1998) that “Oversight organizations, including accrediting bodies, states, and federal agencies, should include in their contracts terms that describe their responsibility to maintain the confidentiality of any personally identifiable health information that they review.”

We agree with the commenter who believed that private companies providing information to insurers and employers are not performing an oversight function; the definition of health oversight agency does not include such companies.

In developing and clarifying the definition of health oversight in the final rule, we seek to achieve a balance in accounting for the full range of activities that public agencies may undertake to perform their health oversight functions while establishing clear and appropriate boundaries on the definition so that it does not become a catch-all category that public and private agencies could use to justify any request for information.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.