Postal Workers Privacy Act Issues and Posta l- Health Insurance Portability and Accountability Act (HIPAA)

USPS Expands on Disclosures Permitted under Privacy Act

In the Federal Register of April 29, 2005, the USPS expanded on the disclosures permitted under the Privacy Act. Some examples are:

"Arguably relevant records may be disclosed to a bar association or similar Federal, state, or local licensing or regulatory authority that relate to possible disciplinary action." (If postal attorneys, EAP counselors and other licensed professionals in the USPS were exempt from disciplinary action as some claim, there would be no reason for this rule.)

"Records about an individual may be disclosed to a congressional office in response to an inquiry from the congressional office made at the prompting of that individual." (This reverses a court ruling. Employees should be careful when opening this Pandora's box. A Congressional office could make their records public.)

"Reference copies of discipline or adverse actions. These are kept for historical purposes and are not to be used for decisions about the employee. The retention of these records may not exceed ten years beyond the employee's separation date. The records are maintained longer if the employee is rehired during the 10-year period. They may not be maintained in
the employee's OPF but must be maintained in a separate file by Labor Relations."

"Reference copies of all discipline or adverse actions: Letters of warning; notices of removal, suspension, reduction in grade or pay; and letters of decisions; and documents relating to these actions. These are used only to refute inaccurate statements by witnesses before a judicial or administrative body. They may not be maintained in the employee's OPF but must be maintained in a separate file by Labor Relations."

This will surprise some! Disciplinary records are maintained in LR computers until 10 years AFTER separation. Previously, the time limit was 10 years.

A tactic of some LR advocates in a hearing is to ask a person, especially a grievant, if they have ever been disciplined. If the person says no or leaves something out, prior disciplinary actions going back as far as 1975 are introduced to impeach the person's memory and/or credibility. For that reason employees should SAVE their disciplinary files FOREVER, however
minor. They may be needed for rebuttal 30 years later.

Let me give you an example. Last year a clerk called me frantically. He had transferred to another post office, got in trouble for fighting, and was issued a Notice of Removal. Although no previous incidents were mentioned in the Notice of Removal, Labor Relations cited a prior one-week suspension for fighting that was about 15 years old! I sent proof from my steward files that his prior discipline had been reduced to a LOW. As a result his termination was reduced to a suspension.

Disciplinary records are maintained in LR computers until 10 years after separation. This is true even if the employee thinks the disciplinary records have been expunged. LR records are easily retrieved now that they are stored electronically. Employees should be forewarned and advised to save their own files until separation or later.

Don Cheney
Auburn, WA

USPS updates Privacy Act record systems | Federal Register Notice

Eight-Digit Identification Numbers To Replace Social Security Numbers-The Postal Service started using eight-digit employee identification numbers in replacement of Social Security numbers on employee records effective Pay Period 14-03 (July 3, 2003) . Absent any business-related need for the Social Security number, the employee identification number will replace the Social Security number in all postal systems, beginning with the Time and Attendance System (TACS).In a meeting on June 12, 2003 the Postal Service explained that it wants to remove Social Security numbers from any documents or reports that are available on the work-room floor to help protect employees from identity theft. Social Security numbers will continue to be part of payroll information because the USPS must report the numbers to the Internal Revenue Service. With the substitution of employee identification numbers, however, Social Security numbers will gradually become less visible on printed material. (APWU)

Doe, Buck, et al. v. Chao, Elaine ( Labor Secretary)

JUSTICE SOUTER delivered the opinion of the Court. The United States is subject to a cause of action for the benefit of at least some individuals adversely affected by a federal agency’s violation of the Privacy Act of 1974. The question before us is whether plaintiffs must prove some actual damages to qualify for a minimum statutory award of $1,000. We hold that they must. (2/24/04)

02-1377

Appealed From: 4th Circuit Court of Appeals (Sept. 20, 2002)

Oral Argument: Dec. 3, 2003

Opinion Issued:

Subject: Privacy Act, damages, social security number disclosure

Summary: Supreme Court case seeks to establish how Privacy Act is enforced-Question(s) presented: Whether, under the Privacy Act 5 U.S.C. 552a, individuals who have proven a violation of the act, for the disclosure of their Social Security numbers (SSNs), but cannot prove actual damages, are automatically entitled to $1000 in damages? This case will not only establish how the Privacy Act is enforced, but also how careful the government must be when handling social security numbers in the future.

Background

In Doe, Buck, et al. v. Chao, Elaine (US Dept. of Labor Secretary) , an important privacy case was heard by the Supreme Court on December 3, 2003. This case concerns the wrongful disclosure of the Social Security Number by a federal agency and whether a person should be required to prove actual damages to obtain relief under the Privacy Act. The view of most federal courts, is that it should only be necessary to show "adverse effects" to obtain the minimal $1,000 damages under the Act.

Doe, Buck, et al. v. Chao, Elaine (US Dept. of Labor Secretary)

In this case, the Department of Labor was sued by a class of coal miners who filed claims with the government for black lung benefits. To process the benefit claims, the Department of Labor used each applicant's Social Security Number (SSNs) to identify that applicant's claim. As identification numbers, the SSNs were subsequently disclosed to other applicants, as well as those applicants' employers and lawyers. The SSNs were also made publicly available in administrative law decisions and computerized legal research databases.

After realizing that his Social Security number had been published along with his name on multiparty hearing notices, Doe feared that anyone could use the information to steal his identity. The Labor Department had been publishing claimants’ Social Security numbers for 22 years, without protest from any of the scores of judges, lawyers or black lung claimants who participated in the hearings.

In February 1997, Doe and several others filed suits against the department in federal court in the Western District of Virginia, alleging that the Department had violated their privacy. The United States District Court for the Western District of Virginia consolidated the miner's claims and assigned their case to a magistrate to make recommendations with regard to motions for summary judgment and class certification. The magistrate recommended that the district court grant summary judgment against all the miners with the exception of Buck Doe, finding that they were unable to prove damages. The district court adopted the magistrate's recommendation and granted summary judgment in favor of the government on all claims except that of Doe. With respect to his claim, the court entered summary judgment in favor of Doe, awarding him $1,000 in statutory damages. According to a provision in the 1974 Privacy Act, any individual who has proven an "adverse affect" caused by the government intentionally or willfully violating his or her privacy is entitled to no less than $1,000 compensation., and that because emotional distress is the chief means of proving damage in privacy cases, such emotional distress is sufficient evidence to allow recovery under the Privacy Act. The court found that Doe had demonstrated enough emotional distress to justify recovery, and thus was entitled to statutory damages. But on appeal, Doe’s case was not as successful, being partially overturned by a divided 4th Circuit Court of Appeals panel in September 2002.

The miners (other than Doe) appealed the district court's decision to the Fourth Circuit, arguing that proof of "actual damages" is unnecessary to recover under the Privacy Act, and in the alternative, that the district court's holding with respect to Doe was correct because emotional distress is sufficient evidence of injury to permit an award of damages under the Privacy Act. The government also appealed the district court's decision, claiming that recovery under the Privacy Act is limited to individuals who can produce evidence of "actual damages," which includes only monetary loss and not emotional harm. The Fourth Circuit adopted the government's view and determined that Doe was not entitled to damages under the Privacy Act because he failed to show that any tangible consequences flowed from the emotional distress he experienced due to the disclosure of his SSN.

The Supreme Court granted certiorari June 27, 2003 to consider the question of whether an individual bringing suit under the Privacy Act for wrongful SSN disclosure must prove that he suffered actual monetary damages as a result of the disclosure in order to recover the minimum damages provided by the Privacy Act. (source: Northwestern University)

Links

Doe v. Chao History

Supreme Court's grant of certiorari
Supreme Court Docket in Doe v. Chao
Solicitor General's Opposition to Petition of Writ of Certiorari
Fourth Circuit opinion

Briefs

Solicitor General's Brief for Respondent

Legislative Materials

News

4th Circuit Rules No Recovery Under Privacy Act of SSNs Without Showing of Actual Damages, Tech Law Journal (Sept. 20, 2002)

SUMMARY

April 3, 2003- New law will safeguard patient information Come April 14, there will be a new consumer-protecting position at all area hospitals, physicians’ offices and nursing homes. Privacy officers, as they will be known, are charged with protecting the rights of patients. After April 14, 2003 every person who goes to a doctor’s or dentist’s office, a pharmacist, home health care agency, hospital or nursing home will be given a document called a “Notice of Privacy Practices” that explains the provider’s policies for safeguarding the confidentiality in the use and disclosure of patient health information. All health insurers also are required to provide the notice. The change is required by a new Federal law called the Health Insurance Portability and Accountability Act (HIPAA) that, according to the U.S. Department of Health and Human Services, is intended to provide consumers with personal privacy protections and access to high-quality health care.

more info: Visit Federal HIPAA Regulation Mandates

Frequently Asked Questions About Privacy of Medical Information-OPM

GUIDELINES

OCR HIPAA Privacy
December 3, 2002

Revised April 3, 2003

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

[45 CFR 164.520]

Background

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.

How the Rule Works

General Rule. The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices.

The Privacy Rule does not require the following covered entities to develop a notice:

* Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1).

* A correctional institution that is a covered entity (e.g., that has a covered health care provider component).

* A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information. See 45 CFR 164.520(a).

Content of the Notice. Covered entities are required to provide a notice in plain language that describes:

* How the covered entity may use and disclose protected health information about an individual.

* The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.

* The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.

* Whom individuals can contact for further information about the covered entity’s privacy policies.

The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice.

A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals.

Providing the Notice.

* A covered entity must make its notice available to any person who asks for it.

* A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.

* Health Plans must also:

< Provide the notice to individuals then covered by the plan no later than April 14, 2003 (April 14, 2004, for small health plans) and to new enrollees at the time of enrollment.

< Provide a revised notice to individuals then covered by the plan within 60 days of a material revision.

< Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years.

Covered Direct Treatment Providers must also:

< Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effortto obtain the individual’s written acknowledgment of receipt of the notice.

If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.

< When first service delivery to an individual is provided over the Internet, through e-mail, or otherwise electronically, the provider must send an electronic notice automatically and contemporaneously in response to the individual’s first request for service. The provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice.

< In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals.

< Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility.

A covered entity may e-mail the notice to an individual if the individual agrees to receive an electronic notice. See 45 CFR 164.520(c) for the specific requirements for providing the notice.

Organizational Options.

Any covered entity, including a hybrid entity or an affiliated covered entity, may choose to develop more than one notice, such as when an entity performs different types of covered functions (i.e., the functions that make it a health plan, a health care provider, or a health care clearinghouse) and there are variations in its privacy practices among these covered functions. Covered entities are encouraged to provide individuals with the most specific notice possible.

Covered entities that participate in an organized health care arrangement may choose to produce a single, joint notice if certain requirements are met. For example, the joint notice must describe the covered entities and the service delivery sites to which it applies. If any one of the participating covered entities provides the joint notice to an individual, the notice distribution requirement with respect to that individual is met for all of the covered entities. See 45 CFR 164.520(d).

NEWS

New law will safeguard patient information

By DIANA ROSSETTI Repository Living section writer

Come April 14, there will be a new consumer-protecting position at all area hospitals, physicians’ offices and nursing homes.

Privacy officers, as they will be known, are charged with protecting the rights of patients. After April 14, every person who goes to a doctor’s or dentist’s office, a pharmacist, home health care agency, hospital or nursing home will be given a document called a “Notice of Privacy Practices” that explains the provider’s policies for safeguarding the confidentiality in the use and disclosure of patient health information. All health insurers also are required to provide the notice.

The change is required by a new Federal law called the Health Insurance Portability and Accountability Act (HIPAA) that, according to the U.S. Department of Health and Human Services, is intended to provide consumers with personal privacy protections and access to high-quality health care.

“By that compliance date, each setting needs to train staff about confidentiality and appoint a privacy officer to make sure that policies are operating and they’re also the person to whom a patient can address a question or concern,” explained health care attorney Joseph Feltes, a shareholder with the Jackson Township office of Buckingham, Doolittle & Burroughs.

Feltes, the son of a surgeon, said employers will be affected profoundly by HIPAA’s Privacy Rule, which will limit their ability to access and use employee health information for making employment decisions. No longer will a self-insured employer be able to obtain employee health information from the group health plan without the employee’s written authorization.

There is good reason for the new law, Feltes said, Historically, medical claims information has been transmitted electronically in more than 400 formats. Designing a uniform format for transmission can not help but assist in safeguarding the accuracy of medical information.

The new law also gives consumers greater access and control of information contained in their medical and health-care insurance records. Patients, for example, will have the right to inspect their medical and claims records, request amendments to correct errors in their records and request certain restrictions on how their health information may be used or disclosed. Record amendments will not be approved, however, if the information contained therein is accurate or has clinical significance.

When those matters are not settled to their satisfaction, consumers will have the right under HIPAA to file a complaint with the health-care provider or health-care insurer if they believe their privacy rights have been violated. They also may file a complaint with the Office for Civil Rights, the agency charged with enforcing the Privacy Rule.

As increasing numbers of agencies and consumers voiced concerns about the security of health information transmited electronically, the Privacy Rule was developed.

“Now privacy rules address the confidential and security rules address the electronic component,” Feltes said. “One of the things discussed at length was that we’re going to be transmitting across state lines. Each state had a different body of rules and laws to protect consumers. It was a patchwork. This uniform Federal law will pre-empt state law.”

The end product, HIPAA, is 100 pages of rules and 1600 pages of commentary, a compilation Feltes describes tongue-in-cheek as “a monument to micromanagement.”

“Seriously, though, what I have found in dealing with physicians’ offices, hospitals, plans and others involved is that, historically, they’ve done a pretty good job. This new law is intended that they do even a better job. It’s similar to what we all received over the last year and a half from banks and credit card companies due to a Federal act requiring disclosure.,” Feltes said. “It also empowers individuals.”

At Aultman Hospital, privacy officer Tim Regula said the general guidelines for what information a hospital is permitted to provide reporters and others calling for a condition report is straightforward.

“If they ask for a patient by name, yes, we can confirm the fact they they are here, their location and a one-word condition report,” Regula said. “When you talk about different hospitals, they may vary a bit in what they choose to call their patient directory. We define it as in-patient, emergency room patient and same-day surgery patient. Patients may opt out as they always have been able to do and then we’ll say we have no information. If somebody comes in for an X-ray, we don’t provide information. Other hospitals may include everybody (in the hospital).”

If a news reporter calls the hospital to inquire about accident victims but does not have a specific victim name, Regular said, no information can be given.

At a Office for Civil Rights day-long briefing in Chicago, one of many Feltes attended, speakers urged consumers who encounter a problem first to contact the privacy officer of the office affected.

There are stiff penalties for violators of the HIPAA’s Privacy Rule. They can include criminal fines and incarceration if health information is sold to telemarketers, for example.

FEDERAL REGISTER NOTICES

Downloaded from the Federal Register Web Site

[Notices]               
[Page 13711-13712]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr20mr03-67]                         

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office for Civil Rights

 
Notice of Addresses for Submission of HIPAA Health Information 
Privacy Complaints

AGENCY: Office for Civil Rights, HHS.

ACTION: Notification of addresses for submission of HIPAA Health 
Information Privacy Complaints for violations occurring on or after 
April 14, 2003.

-----------------------------------------------------------------------

SUMMARY: This notice sets out the addresses for filing a complaint with 
the Secretary of the Department of Health and Human Services, for non-
compliance by a covered entity with the standards for privacy of 
individually identifiable health information under 45 CFR parts 160 and 
164 (the Privacy Rule). The Privacy Rule implements certain provisions 
of the Administrative Simplification subtitle of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. 
Complaints must be submitted in writing to the Office for Civil Rights 
at the appropriate address, as described below.

EFFECTIVE DATE: April 14, 2003.

ADDRESSES: See SUPPLEMENTARY INFORMATION section for the list of 
addresses for filing complaints.

SUPPLEMENTARY INFORMATION: 45 CFR section 160.306 establishes general 
provisions for submission of complaints against a covered entity for 
non-compliance with the HIPAA Privacy Rule. A person who believes a 
covered entity is not complying with these requirements may file a 
complaint with the Secretary. A covered entity is a health plan, health 
care clearinghouse, and any health care provider who conducts certain 
health care transactions electronically. Complaints to the Secretary 
must: (1) Be filed in writing, either on paper or electronically; (2) 
name the entity that is the subject of the complaint and describe the 
acts or omissions believed to be in violation of the applicable 
requirements of part 160 or the applicable standards, requirements, and 
implementation specifications of subpart E of part 164; and (3) be 
filed within 180 days of when the complainant knew or should have known 
that the act or omission complained of occurred, unless this time limit 
is waived by the Office for Civil Rights for good cause shown. 
Complaints to the Secretary may be filed only with respect to alleged 
violations occurring on or after April 14, 2003.
    The Secretary has delegated to the Office for Civil Rights (OCR) 
the authority to receive and investigate complaints as they may relate 
to the Privacy Rule. See 65 FR 82381 (Dec. 28, 2000). Individuals may 
file written complaints with OCR by mail, fax or e-mail at the 
addresses listed below. Individuals may, but are not required to, use 
OCR's Health Information Privacy Complaint Form. To obtain a copy of 
this form, or for more information about the Privacy Rule or how to 
file a complaint with OCR, contact any OCR office or go to www.hhs.gov/
ocr/hipaa/. For more information on what entities are covered by 
HIPAA, go to www.cms/hipaa/hipaa2/support/tools/decisionsupport/
default.asp.

    As listed below, health information privacy complaints to the 
Secretary should be addressed to the OCR regional office that is 
responsible for matters relating to the Privacy Rule arising in the 
State or jurisdiction where the covered entity is located. Complaints 
may also be filed via email at the address noted below.

Where To File Complaints Concerning Health Information Privacy

    For complaints involving covered entities located in Connecticut, 
Maine, Massachusetts, New Hampshire, Rhode Island, or Vermont:

Region I, Office for Civil Rights, U.S. Department of Health and Human 
Services, Government Center, J.F. Kennedy Federal Building--Room 1875, 
Boston, Massachusetts 02203. Voice phone (617) 565-1340. FAX (617) 565-
3809. TDD (617) 565-1343.

    For complaints involving covered entities located in New Jersey, 
New York, Puerto Rico, or Virgin Islands:

Region II, Office for Civil Rights, U.S. Department of Health and Human 
Services, Jacob Javits Federal Building, 26 Federal Plaza--Suite 3312, 
New York, New York, 10278. Voice Phone (212) 264-3313. FAX (212) 264-
3039. TDD (212) 264-2355.

    For complaints involving covered entities located in Delaware, 
District of Columbia, Maryland, Pennsylvania, Virginia, or West 
Virginia:

Region III, Office for Civil Rights, U.S. Department of Health and 
Human Services, 150 S. Independence Mall West, Suite 372, Public Ledger 
Building, Philadelphia, PA 19106-9111. Main Line (215) 861-4441. 
Hotline (800) 368-1019. FAX (215) 861-4431. TDD (215) 861-4440.

    For complaints involving covered entities located in Alabama, 
Florida, Georgia, Kentucky, Mississippi, North Carolina, South 
Carolina, or Tennessee:

Region IV, Office for Civil Rights, U.S. Department of Health and Human 
Services, Atlanta Federal Center, Suite 3B70, 61 Forsyth Street, SW., 
Atlanta, GA 30303-8909. Voice Phone (404) 562-7886. FAX (404) 562-7881. 
TDD (404) 331-2867.

    For complaints involving covered entities located in Illinois, 
Indiana, Michigan, Minnesota, Ohio, or Wisconsin:

Region V, Office for Civil Rights, U.S. Department of Health and Human 
Services, 233 N. Michigan Ave., Suite 240, Chicago, Ill. 60601. Voice 
Phone (312) 886-2359. FAX (312) 886-1807. TDD (312) 353-5693.

    For complaints involving covered entities located in Arkansas, 
Louisiana, New Mexico, Oklahoma, or Texas:

Region VI, Office for Civil Rights, U.S. Department of Health and Human 
Services, 1301 Young Street, Suite 1169, Dallas, TX 75202. Voice Phone 
(214) 767-4056. FAX (214) 767-0432. TDD (214) 767-8940.

    For complaints involving covered entities located in Iowa, Kansas, 
Missouri, or Nebraska:

Region VII, Office for Civil Rights, U.S. Department of Health and 
Human Services, 601 East 12th Street--Room 248, Kansas City, Missouri 
64106. Voice Phone (816) 426-7278. FAX (816) 426-3686. TDD (816) 426-
7065.

    For complaints involving covered entities located in Colorado, 
Montana, North Dakota, South Dakota, Utah, or Wyoming:

Region VIII, Office for Civil Rights, U.S. Department of Health and 
Human Services, 1961 Stout Street--Room 1185 FOB, Denver, CO 80294-
3538. Voice Phone (303) 844-2024. FAX (303) 844-2025. TDD (303) 844-
3439.

    For complaints involving covered entities located in American 
Samoa, Arizona, California, Guam, Hawaii, or Nevada:

Region IX, Office for Civil Rights, U.S. Department of Health and Human 
Services, 50 United Nations Plaza--

[[Page 13712]]

Room 322, San Francisco, CA 94102. Voice Phone (415) 437-8310. FAX 
(415) 437-8329. TDD (415) 437-8311.

    For complaints involving covered entities located in Alaska, Idaho, 
Oregon, or Washington:

Region X, Office for Civil Rights, U.S. Department of Health and Human 
Services, 2201 Sixth Avenue--Suite 900, Seattle, Washington 98121-1831. 
Voice Phone (206) 615-2287. FAX (206) 615-2297. TDD (206) 615-2296.

    For all complaints filed by e-mail send to: OCRComplaint@hhs.gov.

FOR FURTHER INFORMATION CONTACT: Lester Coffer, Office for Civil 
Rights, Department of Health and Human Services, Mail Stop Room 506F, 
Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, 
DC 20201. Telephone number: (202) 205-8725.

    Dated: March 12, 2003.
Richard M. Campanelli,
Director, Office for Civil Rights.
[FR Doc. 03-6651 Filed 3-19-03; 8:45 am]

BILLING CODE 4153-01-P

[Notices]
[Page 82381]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28de00-100]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary


Office for Civil Rights; Statement of Delegation of Authority

    Notice is hereby given that I have delegated to the Director,
Office for Civil Rights (OCR), with authority to redelegate, the
following authorities vested in the Secretary of Health and Human
Services:
    1. The authority under section 262 of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191,
as amended, to the extent that these actions pertain to the Standards
for the Privacy of Individually Identifiable Health Information, to:
    A. impose civil monetary penalties, under section 1176 of the
Social Security Act, for a covered entity's failure to comply with
certain requirements and standards;
    B. make exception determinations, under section 1178(a)(2)(A) of
the Social Security Act, concerning when provisions of State laws that
are contrary to the federal standards are not preempted by the federal
provisions; and
    2. The authority under section 264 of HIPAA, as amended, to
administer the regulations, ``Standards for the Privacy of Individually
Identifiable Health Information,'' 45 CFR Part 164, and General
Administrative Requirements, 45 CFR Part 160, as these requirements
pertain to Part 164, and to make decisions regarding the
interpretation, implementation and enforcement of these Standards and
General Administrative Requirements.
    I hereby affirm and ratify any actions taken by the Director of
OCR, or any subordinates, involving the exercise of the authorities
delegated herein prior to the effective date of this delegation. This
Delegation of Authority is effective concurrent with the effective date
of the regulations, 45 CFR Parts 160 through 164.

    Dated: December 20, 2000.
Donna E. Shalala,
Secretary.
[FR Doc. 00-33039 Filed 12-27-00; 8:45 am]
BILLING CODE 4153-01-M