Privacy

Background:
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, the US Department of Health and Human Services (DHHS) published on November 3, 1999 proposed regulations establishing national standards for privacy of health information.

Who Is Subject to These Regulations?
("Covered Entities")
The following entities are covered by the proposed regulations:

• All health care providers who choose to transmit health information electronically
• All health plans
• All health care clearinghouses

Covered entities would be allowed to disclose health information to persons or organizations they hire to perform functions on their behalf. These "business partners" would not be permitted, under contractual obligation with the covered entity, to use or disclose protected health information in ways that would not be permitted of the covered entity itself.

What Health Information Is Covered by the Proposed Regulations?
("Protected health information")

The proposed regulations protect health information that 1) identifies an individual and 2) is maintained or exchanged electronically. If the information has any components that could be used to identify a person, it would be covered. The protection would stay with the information as long as the information is in the hands of a covered entity or a business partner. The paper progeny of electronic information is covered (i.e. the information would not lose its protections simply because it is printed out of a computer).

Uses and Disclosures Permitted with Individual Authorization

Covered entities could use or disclose protected health information with the individual. s authorization for any lawful purpose. A standard form would be established for this purpose. Each authorization must specify the information to be disclosed, who would get the information, and when the authorization would expire. Individuals could revoke an authorization at any time.
The regulations would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes, and require the authorization form to state this prohibition.

Disclosures Permitted Without Authorization for Health Care Treatment, Payment, and Operations

Covered entities could use and disclose protected health information without authorization for treatment, payment and health care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities that are part of ensuring appropriate treatment and payment. Individuals may ask a covered entity to restrict further use and disclosure of protected health information for treatment, payment, or health care operations (with the exception of uses or disclosures required by law). The covered entity would not be required to agree to such a request, but if the covered entity and the individual agree to a restriction, the covered entity would be bound by the agreement.

Other Uses and Disclosures of Health Information Permitted Without Authorization
Covered entities could use and disclose protected health information without individual authorization for the following national priority activities:

• Oversight of the health care system, including quality assurance activities
• Public health, and in emergencies affecting life or safety
• Research
• Judicial and administrative proceedings
• Law enforcement
• To provide information to next-of-kin
• For government health data systems
• For identification of the body of a deceased person, or the cause of death
• For facilities' (hospitals, etc.) directories
• To financial institutions, for processing payments for health care
• In other situations where the use of disclosure is mandated by other laws.

Individual rights:
The proposed rule would provide basic rights for individuals with respect to their protected health
information. Individuals would have:

• The right to receive a written notice of information practices from health plans and providers. The notice must describe the types of uses and disclosures that the plan or provider would make with health information (not just those uses and disclosures that could lawfully be made).The right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the information.
• The right to request amendment or correction of protected health information that is inaccurate or incomplete.
• The right to receive an accounting of the instances where protected health information about them has been disclosed by a covered entity for purposes other than treatment, payment, or health care operations.

Administrative Requirements for Covered Entities
Under the proposed rules, providers and payers are required to implement basic administrative procedures to protect health information. Among them:

• Develop a Notice of Information Practice;
• Allow individuals to inspect and copy their protected health information.
• Develop a mechanism for accounting all disclosures made for purposes other than treatment, payment, and HC operations.
• Allow individuals to request amendments or corrections to their protected health information.
• Designate a privacy official;
  • Provide privacy training to members of its workforce who would have access to protected health information;
  • Implement physical and administrative safeguards to protect health information from intentional or accidental misuse;
  • Establish policies and procedures to allow Individuals to log complaints about the entity's information practices, and maintain a record of any complaints; and
  • Develop a system of sanctions for members of the workforce and business partners who violate the entity's policies.
• Have available documentation regarding compliance with the requirements of the regulation.
• Develop methods for disclosing only the minimum amount of protected information necessary to accomplish any intended purpose.
• Develop and use contracts that will ensure that business partners also protect the privacy of identifiable health information.

Preemption of State Laws

Pursuant to the HIPAA law, this rule will preempt state laws that are in conflict with the regulatory requirements with exceptions for certain public health functions and related activities.

Enforcement and Penalties

Under HIPAA, the Secretary is granted the authority to impose civil monetary penalties against those covered entities that fail to comply with the requirements of this regulation.