Proposed Standards for Privacy of Individually Identifiable Health Information
Statutory Requirement
Section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, enacted August 21, 1996, requires that, if legislation establishing privacy standards is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act.
The statutory deadline for Congress to enact legislation was August 21, 1999. Absent legislation, HHS has developed its proposed rule.
Overview
The proposed rule would:
allow health information to be used and shared easily for the treatment and
for payment of health care;
allow health information to be disclosed without an individual's
authorization for certain national priority purposes (such as research,
public health and oversight), but only under defined circumstances;
require written authorization for use and disclosure of health information
for other purposes, and
create a set of fair information practices to inform people of how their
information is used and disclosed, ensure that they have access to
information about them, and require health plans and providers to maintain
administrative and physical safeguards to protect the confidentiality of
health information and protect against unauthorized access.
Scope
a. Entities covered by the proposed rule
Health care providers who transmit health information electronically
Health plans
Health care clearinghouses
b. Health information covered by the proposed rule ("Protected health
information")
Protection would start when information becomes electronic, and would stay
with the information as long as the information is in the hands of a covered
entity.
Information becomes electronic either by being sent electronically as one of
the specified Administrative Simplification transactions or by being
maintained in a computer system.
The paper progeny of electronic information is covered; the information would
not lose its protections simply because it is printed out of the computer.
HIPAA protects the information itself, not the record in which the
information appears.
The information must be "identifiable." If the information has any components
that could be used to identify the subject, it would be covered.
General rules
We propose that covered entities be prohibited from using or disclosing
health information except: as authorized by the patient, or as explicitly
permitted by the regulation. The regulation would permit use and disclosure
of health information without authorization for purposes of health care
treatment, payment and operations, and for specified national policy
activities under conditions tailored for each type of such permitted use or
disclosure.
The amount of information to be used or disclosed would be restricted to the
minimum amount necessary to accomplish the relevant purpose, taking into
consideration practical and technological limitations.
There would be exceptions for situations in which assessment of what is
minimally necessary is appropriately made by someone other than the covered
entity (e.g., such as when an individual authorizes a use or disclosure of
information, or when the disclosure is mandatory under another law).
We would allow covered entities to rely on requests by certain public
agencies in determining the minimum necessary information for certain
disclosures.
Under the principle of minimum necessary use, if an entity consists of
several different components, the entity would be required to create barriers
between components so that information is not used or shared inappropriately.
To encourage covered entities to strip identifiers from health information
when it is possible to do so, we would permitted a covered entity to use and
disclose such de- identified information in any way, provided that:
it does not disclose the key or other mechanism that would enable the
information to be re-identified, and
it has no reason to believe that such use or disclosure will result in the
use or disclosure of protected health information (e.g., because the
recipient has the means to re-identify the information).
We would treat the key to coded identifiers the same as the information to
which it pertains. A covered entity could use or disclose a key only as it
could use or disclose the underlying information.
We would permit covered entities to disclose protected health information to
persons they hire to perform functions on their behalf, where such
information is needed for that function. These ?business partners" would
include contractors such as lawyers, auditors, consultants, health care
clearinghouses, and billing firms, but not members of the covered entity's
workforce.
Except where the business partner is providing a treatment consultation or
referral, we would require covered entities to enter into contracts with
their business partners and would require the contracts to include terms to
ensure that the protected health information disclosed to a business partner
remains confidential. Business partners would not be permitted to use or
disclose protected health information in ways that would not be permitted of
the covered entity itself. We use the contract as a tool for protecting
information, because the HIPAA does not provide legislative authority for the
rule to reach many such business partners directly.
The uses and disclosures permitted by this rule would be exactly that --
permitted, not required. For disclosures not compelled by other law,
providers and payers would be free to disclose or not, according to their own
policies and principles. At the same time, nothing in this rule would provide
authority for a covered entity to refuse to make a disclosure mandated by
other law.
Only two disclosures would be required by this proposed rule: disclosure to
the subject individual pursuant to the individual's request to inspect and
copy health information about him or her, and certain disclosures for the
purposes of enforcing the rule.
Health information covered by the proposed rule generally would remain
protected for two years after the death of the subject of the information,
subject to certain exceptions.
Disclosures without authorization for health care treatment, payment, and
operations
Covered entities could use and disclose protected health information without
authorization for treatment, payment and health care operations. This would
include purposes such as quality assurance, utilization review,
credentialing, and other activities that are part of ensuring appropriate
treatment and payment.
Individuals generally could ask a covered entity to restrict further use and
disclosure of protected health information for treatment, payment, or health
care operations, with the exception of uses or disclosures required by law.
The covered entity would not be required to agree to such a request, but if
the covered entity and the individual agree to a restriction, the covered
entity would be bound by the agreement.
Uses and disclosures with individual authorization
Covered entities could use or disclose protected health information with the
individual's authorization for almost any lawful purpose.
We would prohibit covered entities from conditioning treatment or payment on
the individual agreeing to disclose information for other purposes, and
require the authorization form to state this prohibition.
While the provisions of this proposed rule are intended to make
authorizations for treatment and payment purposes unnecessary, some States
may continue to require them. Generally, this rule would not supersede such
State requirements. However:
the rule would impose a new requirement that such State-mandated
authorizations must be physically separate from an authorization for other
purposes described in this rule.
the authorization would have to meet the rule's requirements for the content
of such authorizations (although a state law could require that an
authorization contain additional provisions).
We would require authorizations to specify the information to be disclosed,
who would get the information, and when the authorization would expire. If an
authorization is sought so that a covered entity may sell or barter the
information, the covered entity would have to disclose this fact on the
authorization form.
Use or disclosure of information by the covered entity inconsistent with the
authorization would be unlawful.
Individuals could revoke an authorization.
Permissible uses and disclosures for purposes other than treatment, payment
and operations
Covered entities could use and disclose protected health information without
individual authorization for the following national priority activities:
Oversight of the health care system, including quality assurance activities;
Public health, and in emergencies affecting life or safety;
Research;
Judicial and administrative proceedings;
Law enforcement;
To provide information to next-of-kin;
For identification of the body of a deceased person, or the cause of death;
For government health data systems;
For facilities' (hospitals, etc.) directories;
To financial institutions, for processing payments for health care; and
In other situations where the use of disclosure is mandated by other,
consistent with the requirements of the other law.
Specific conditions would have to be met in order for the use or disclosure
of protected health information to be permitted. These conditions are
tailored to the need for each specific category listed above and to the types
of organizations involved in such activities.
Individual rights
The proposed rule would provide several basic rights for individuals with
respect to protected health information about them. Individuals would have:
The right to receive a written notice of information practices from health
plans and providers. The notice must describe the types of uses and
disclosures that the plan or provider would make with health information (not
just those uses and disclosures that could lawfully be made). When plans and
providers change their information practices, they would also have to update
the notice. Plans and providers would be required to follow the information
practices specified in their most current notice.
The right to obtain access to protected health information about them,
including a right to inspect and obtain a copy of the information.
The right to request amendment or correction of protected health information
that is inaccurate or incomplete.
The right to receive an accounting of the instances where protected health
information about them has been disclosed by a covered entity for purposes
other than treatment, payment, or health care operations (subject to certain
time-limited exceptions for disclosures to law enforcement and oversight
agencies).
Administrative requirements and policy development and documentation
This proposed rule would require providers and payers to develop and
implement basic administrative procedures to protect health information and
the rights of individuals with respect to that information.
Covered entities would be required to maintain documentation of their
policies and procedures for complying with the requirements of the proposed
rule. The documentation must include a statement of the entity's practices
regarding who would have access to protected health information, how that
information would be used within the entity, and when that information would
or would not be disclosed to other entities.
Covered entities would be required to have in place administrative systems,
appropriate to the nature and scope of their business, that enable them to
protect health information in accordance with this rule. Specifically,
covered entities would be required to:
designate a privacy official;
provide privacy training to members of its workforce;
implement safeguards to protect health information from intentional or
accidental misuse;
provide a means for individuals to lodge complaints about the entity's
information practices, and maintain a record of any complaints; and
develop a system of sanctions for members of the workforce and business
partners who violate the entity's policies.
Scalability
We propose privacy standards that covered entities must meet, but leave the
detailed policies and procedures for meeting these standards to the
discretion of each covered entity.
We intend that implementation of these standards be flexible and scalable, to
account for nature of each covered entity's business, and the covered
entity's size and resources. We would require that each covered entity assess
its own needs and implement privacy policies appropriate to its information
practices and business requirements.
The preamble to the proposed rule will include examples of how implementation
of these standards are scalable.
Preemption
Pursuant to HIPAA, this rule will preempt state laws that are in conflict
with the regulatory requirements and that provide less stringent privacy
protections, with specified exceptions for certain public health functions
and related activities.
Enforcement
Under HIPAA, the Secretary is granted the authority to impose civil monetary
penalties against those covered entities which fail to comply with the
requirements of this regulation.
HIPAA also established criminal penalties for certain wrongful disclosures of
protected health information. These penalties are graduated, increasing if
the offense is committed under false pretenses, or with intent to sell the
information or reap other personal gain.
Civil monetary penalties are capped at $25,000 for each calendar year for
each standard that is violated.
What this proposed rule does not do
The HIPAA limits the application of our proposed rule to the covered
entities. It does not provide the authority for the rule to reach many
entities that receive health information from these covered entities, so the
rule cannot put in place appropriate restrictions on how such recipients of
protected health information may use and re-disclose such information.
Any provider who maintains a solely paper information system cannot be
subject to these privacy standards.
There is no statutory authority for a private right of action for individuals
to enforce their privacy rights.