U.S. DEPARTMENT OF HEALTH & HUMAN SERVICES

Proposed Standards for Privacy of Individually Identifiable Health Information

Statutory Requirement

Section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, enacted August 21, 1996, requires that, if legislation establishing privacy standards is not enacted “by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act.”

The statutory deadline for Congress to enact legislation was August 21, 1999. Absent legislation, HHS has developed its proposed rule.

Overview

The proposed rule would:

• allow health information to be used and shared easily for the treatment and for payment of health care;
• allow health information to be disclosed without an individual’s authorization for certain national priority purposes (such as research, public health and oversight), but only under defined circumstances;
• require written authorization for use and disclosure of health information for other purposes, and
• create a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, and require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access.

Scope

a. Entities covered by the proposed rule

• Health care providers who transmit health information electronically
• Health plans
• Health care clearinghouses

b. Health information covered by the proposed rule (“Protected health information”)

• Protection would start when information becomes electronic, and would stay with the information as long as the information is in the hands of a covered entity.
  • Information becomes electronic either by being sent electronically as one of the specified Administrative Simplification transactions or by being maintained in a computer system.
  • The paper progeny of electronic information is covered; the information would not lose its protections simply because it is printed out of the computer.
  • HIPAA protects the information itself, not the record in which the information appears.
• The information must be “identifiable.” If the information has any components that could be used to identify the subject, it would be covered.

General rules

We propose that covered entities be prohibited from using or disclosing health information except: as authorized by the patient, or as explicitly permitted by the regulation. The regulation would permit use and disclosure of health information without authorization for purposes of health care treatment, payment and operations, and for specified national policy activities under conditions tailored for each type of such permitted use or disclosure.

• The amount of information to be used or disclosed would be restricted to the minimum amount necessary to accomplish the relevant purpose, taking into consideration practical and technological limitations.
  • There would be exceptions for situations in which assessment of what is minimally necessary is appropriately made by someone other than the covered entity (e.g., such as when an individual authorizes a use or disclosure of information, or when the disclosure is mandatory under another law).
  • We would allow covered entities to rely on requests by certain public agencies in determining the minimum necessary information for certain disclosures.
  • Under the principle of minimum necessary use, if an entity consists of several different components, the entity would be required to create barriers between components so that information is not used or shared inappropriately.
• To encourage covered entities to strip identifiers from health information when it is possible to do so, we would permitted a covered entity to use and disclose such de- identified information in any way, provided that:
  • it does not disclose the key or other mechanism that would enable the information to be re-identified, and
  • it has no reason to believe that such use or disclosure will result in the use or disclosure of protected health information (e.g., because the recipient has the means to re-identify the information).
• We would treat the key to coded identifiers the same as the information to which it pertains. A covered entity could use or disclose a key only as it could use or disclose the underlying information.
• We would permit covered entities to disclose protected health information to persons they hire to perform functions on their behalf, where such information is needed for that function. These ?business partners” would include contractors such as lawyers, auditors, consultants, health care clearinghouses, and billing firms, but not members of the covered entity’s workforce.
• Except where the business partner is providing a treatment consultation or referral, we would require covered entities to enter into contracts with their business partners and would require the contracts to include terms to ensure that the protected health information disclosed to a business partner remains confidential. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted of the covered entity itself. We use the contract as a tool for protecting information, because the HIPAA does not provide legislative authority for the rule to reach many such business partners directly.
• The uses and disclosures permitted by this rule would be exactly that -- permitted, not required. For disclosures not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and principles. At the same time, nothing in this rule would provide authority for a covered entity to refuse to make a disclosure mandated by other law.
• Only two disclosures would be required by this proposed rule: disclosure to the subject individual pursuant to the individual’s request to inspect and copy health information about him or her, and certain disclosures for the purposes of enforcing the rule.
• Health information covered by the proposed rule generally would remain protected for two years after the death of the subject of the information, subject to certain exceptions.

Disclosures without authorization for health care treatment, payment, and operations

• Covered entities could use and disclose protected health information without authorization for treatment, payment and health care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities that are part of ensuring appropriate treatment and payment.
• Individuals generally could ask a covered entity to restrict further use and disclosure of protected health information for treatment, payment, or health care operations, with the exception of uses or disclosures required by law. The covered entity would not be required to agree to such a request, but if the covered entity and the individual agree to a restriction, the covered entity would be bound by the agreement.

Uses and disclosures with individual authorization

• Covered entities could use or disclose protected health information with the individual’s authorization for almost any lawful purpose.
• We would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes, and require the authorization form to state this prohibition.
• While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes unnecessary, some States may continue to require them. Generally, this rule would not supersede such State requirements. However:
  • the rule would impose a new requirement that such State-mandated authorizations must be physically separate from an authorization for other purposes described in this rule.
  • the authorization would have to meet the rule’s requirements for the content of such authorizations (although a state law could require that an authorization contain additional provisions).
• We would require authorizations to specify the information to be disclosed, who would get the information, and when the authorization would expire. If an authorization is sought so that a covered entity may sell or barter the information, the covered entity would have to disclose this fact on the authorization form.
• Use or disclosure of information by the covered entity inconsistent with the authorization would be unlawful.
• Individuals could revoke an authorization.

Permissible uses and disclosures for purposes other than treatment, payment and operations

• Covered entities could use and disclose protected health information without individual authorization for the following national priority activities:
  • Oversight of the health care system, including quality assurance activities;
  • Public health, and in emergencies affecting life or safety;
  • Research;
  • Judicial and administrative proceedings;
  • Law enforcement;
  • To provide information to next-of-kin;
  • For identification of the body of a deceased person, or the cause of death;
  • For government health data systems;
  • For facilities’ (hospitals, etc.) directories;
  • To financial institutions, for processing payments for health care; and
  • In other situations where the use of disclosure is mandated by other, consistent with the requirements of the other law.
• Specific conditions would have to be met in order for the use or disclosure of protected health information to be permitted. These conditions are tailored to the need for each specific category listed above and to the types of organizations involved in such activities.

Individual rights

The proposed rule would provide several basic rights for individuals with respect to protected health information about them. Individuals would have:

• The right to receive a written notice of information practices from health plans and providers. The notice must describe the types of uses and disclosures that the plan or provider would make with health information (not just those uses and disclosures that could lawfully be made). When plans and providers change their information practices, they would also have to update the notice. Plans and providers would be required to follow the information practices specified in their most current notice.
• The right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the information.
• The right to request amendment or correction of protected health information that is inaccurate or incomplete.
• The right to receive an accounting of the instances where protected health information about them has been disclosed by a covered entity for purposes other than treatment, payment, or health care operations (subject to certain time-limited exceptions for disclosures to law enforcement and oversight agencies).

Administrative requirements and policy development and documentation

This proposed rule would require providers and payers to develop and implement basic administrative procedures to protect health information and the rights of individuals with respect to that information.

• Covered entities would be required to maintain documentation of their policies and procedures for complying with the requirements of the proposed rule. The documentation must include a statement of the entity’s practices regarding who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to other entities.
• Covered entities would be required to have in place administrative systems, appropriate to the nature and scope of their business, that enable them to protect health information in accordance with this rule. Specifically, covered entities would be required to:
  • designate a privacy official;
  • provide privacy training to members of its workforce;
  • implement safeguards to protect health information from intentional or accidental misuse;
  • provide a means for individuals to lodge complaints about the entity’s information practices, and maintain a record of any complaints; and
  • develop a system of sanctions for members of the workforce and business partners who violate the entity’s policies.

Scalability

We propose privacy standards that covered entities must meet, but leave the detailed policies and procedures for meeting these standards to the discretion of each covered entity.

• We intend that implementation of these standards be flexible and scalable, to account for nature of each covered entity’s business, and the covered entity’s size and resources. We would require that each covered entity assess its own needs and implement privacy policies appropriate to its information practices and business requirements.
• The preamble to the proposed rule will include examples of how implementation of these standards are scalable.

Preemption

Pursuant to HIPAA, this rule will preempt state laws that are in conflict with the regulatory requirements and that provide less stringent privacy protections, with specified exceptions for certain public health functions and related activities.

Enforcement

• Under HIPAA, the Secretary is granted the authority to impose civil monetary penalties against those covered entities which fail to comply with the requirements of this regulation.
• HIPAA also established criminal penalties for certain wrongful disclosures of protected health information. These penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain.
• Civil monetary penalties are capped at $25,000 for each calendar year for each standard that is violated.

What this proposed rule does not do

• The HIPAA limits the application of our proposed rule to the covered entities. It does not provide the authority for the rule to reach many entities that receive health information from these covered entities, so the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information.
• Any provider who maintains a solely paper information system cannot be subject to these privacy standards.
• There is no statutory authority for a private right of action for individuals to enforce their privacy rights.