HIPAA Regulations: U.S. Safe Harbor Privacy Principles - Relationship to Other Federal Laws

As Contained in the HHS HIPAA Rules

The E.U. Directive became effective in October 1998 and prohibits European Union Countries from permitting the transfer of personal data to another country without ensuring that an “adequate level of protection,” as determined by the European Commission, exists in the other country or pursuant to one of the Directive's derogations of this rule, such as pursuant to unambiguous consent or to fulfill a contract with the individual. In July 2000, the European Commission concluded that the U.S. Safe Harbor Privacy Principles constituted “adequate protection.” Adherence to the Principles is voluntary. Organizations wishing to engage in the exchange of personal data with E.U. countries may assert compliance with the Principles as one means of obtaining data from E.U. countries.

The Department of Commerce, which negotiated these Principles with the European Commission, has provided guidance for U.S. organizations seeking to adhere to the guidelines and comply with U.S. law. We believe this guidance addresses the concerns covered entities seeking to transfer personal data from E.U. countries may have. When “U.S. law imposes a conflicting obligation, U.S. organizations whether in the safe harbor or not must comply with the law.” An organization does not need to comply with the Principles if a conflicting U.S. law “explicitly authorizes” the particular conduct. The organization's non-compliance is “limited to the extent necessary to meet the overriding legitimate interests further[ed] by such authorization.” However, if only a difference exists such that an “option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible.” Questions regarding compliance and interpretation will be decided based on U.S. law. See Department of Commerce, Memorandum on Damages for Breaches of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law 5 (July 17, 2000); Department of Commerce, Safe Harbor Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000, 65 Fed. Reg. 45666 (2000). The Principles and our privacy regulation are based on common principles of fair information practices. We believe they are essentially consistent and that an organization complying with our privacy regulation can fairly and correctly self-certify that it complies with the Principles. If a true conflict arises between the privacy regulation and the Principles, the Department of Commerce's guidance provides that an entity must comply with the U.S. law.

Comment: Several comments stated that the privacy regulation should be consistent with the European Union's Directive on Data Protection. Others sought guidance as to how to comply with both the E.U. Directive on Data Protection and the U.S. Safe Harbor Privacy Principles.

Response: We appreciate the need for covered entities obtaining personal data from the European Union to understand how the privacy regulation intersects with the Data Protection Directive. We have provided guidance as to this interaction in the "Other Federal Laws" provisions of the preamble.

Comment: A few comments expressed concern that the proposed definition of "individual" excluded foreign military and diplomatic personnel and their dependents, as well as overseas foreign national beneficiaries. They noted that the distinctions are based on nationality and are inconsistent with the stance of the E.U. Directive on Data Protection and the Department of Commerce's assurances to the European Commission.

Response: We agree with the general principle that privacy protections should protect every person, regardless of nationality. As noted in the discussion of the definition of "individual," the final regulation's definition does not exclude foreign military and diplomatic personnel, their dependents, or overseas foreign national beneficiaries from the definition of individual. As described in the discussion of Sec. 164.512 below, the final rule applies to foreign diplomatic personnel and their dependents like all other individuals. Foreign military personnel receive the same treatment under the final rule as U.S. military personnel do, as discussed with regard to Sec. 164.512 below. Overseas foreign national beneficiaries to the extent they receive care for the Department of Defense or a source acting on behalf of the Department of Defense remain generally excluded from the final rules protections. For a more detailed explanation, see Sec. 164.500.