HIPAA Regulatory Alert

Groups suggest basic principles for PHI privacy

Basic principles need to be incorporated in all rules, regulations, or laws pertaining to personal health information (PHI) if it is expected to flow across organizational boundaries through the nationwide health information network, according to the American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA).

"Public confidence that personal health information will be respected and that identifiable information, to the maximal extent possible, will be used only for authorized purposes is essential to the success of any electronic health information exchange," said AMIA President Don Detmer. "Health information confidentiality and security protections must follow PHI no matter where it resides."

The two associations said organizations accessing or storing PHI should follow these principles:

  • Inform individuals, through clear communications, about their rights and obligations and the laws and regulations governing protection and use of PHI.
  • Notify individuals in clear language about the organization's privacy practices and their rights in cases of breaches.
  • Provide individuals with a convenient, affordable mechanism to inspect, copy, or amend their identified health information/records.
  • Protect the confidentiality of PHI to the fullest extent prescribed under HIPAA, regardless of whether the organization and its employees all comply with HIPAA, state laws, and the policies and procedures put in place to protect PHI.
  • Use PHI only for legitimate purposes as defined under HIPAA or applicable laws.
  • Prohibit the use of PHI for discriminatory practices, including those related to insurance coverage or employment decisions.
  • Timely notification of individuals if security breaches have compromised the confidentiality of their PHI.
  • Work with appropriate law enforcement to prosecute to the maximum extent allowable by law any individual or organization that intentionally misuses PHI.
  • Continuously improve processes, procedures, education, and technology so that PHI practices improve over time.
  • The organizations also renewed their position in favor of a federal preemption of state health care privacy laws. HIPAA allows states to maintain their own health care privacy laws as long as they are more stringent than those in the federal rule. Many states reportedly have laws with tougher health care privacy provisions than HIPAA, particularly in the areas of drug and alcohol abuse, HIV/AIDS, and mental health treatment.

In 2002, California enacted a law requiring people to be notified if their personal information has been compromised by a privacy or security breach, and since then an additional 32 states have passed such laws. HIPAA does not have a notification requirement.

The joint policy position contains a provision that "uniform and universal protections for PHI should apply across all jurisdictions in order to facilitate consistent understanding by those covered by such laws and the individuals whose health information is covered by such laws."

More information is available on-line at http://www.amia.org/informatics/public_policy/docs/amia_ahimajointconfidentialitystatement.pdf.