The trusted source for
healthcare information and
Here is more detail about the "Standards for Privacy of Individually Identifiable Health Information," issued by the Department of Health and Human Services (HHS) On Nov. 3.1
• Information that relates to an individual’s health, health care treatment, or payment for health care and that identifies the individual is protected — from the point in time when it becomes electronic.
• The protection continues as long as the data are in the hands of a covered entity, such as a health care provider who transmits data electronically, a health plan, and a health care clearinghouse. Paper versions of the information, such as computer printouts, also are protected.
• The right to receive a written notice of information practices from health plans and providers.
• The right to access their own health information, including a right to inspect and obtain a copy of the information.
• The right to request amendment or correction of protected health information that is inaccurate or incomplete.
• The right to receive an accounting (audit trail) of instances when protected health information has been disclosed for purposes other than treatment, payment, and health care operations.
Obligations of health care providers and plans
• Develop a notice of information practices. Providers would provide this notice to each patient at the first service after the effective date of the rule and post a copy of the notice.
• Allow individuals to inspect and copy their protected health information.
• Develop a mechanism for accounting for all disclosures of protected health information for purposes other than treatment, payment, and health care operations.
• Allow individuals to request amendments or corrections to their protected health information.
• Designate a privacy officer who will be responsible for all necessary activities.
• Provide training to all staff or others who would have access to protected health information in the entity’s policies and procedures regarding privacy.
• Establish administrative, technical, and physical safeguards to protect identifiable health information from unauthorized access or use.
• Establish policies and procedures to allow individuals to notify health care providers about possible violations of privacy.
• Develop and apply sanctions, ranging from re-training to reprimand to termination, for employee violation of entity privacy policies.
• Have available documentation regarding compliance with the requirements of the regulation.
• Develop methods for disclosing only the minimum amount of protected information necessary to accomplish any intended purpose.
• Develop and use contracts that will ensure that business partners also protect the privacy of identifiable health information.
• Prepare to respond to requests for protected health information, which do not require consent, such as for public health, health oversight, and judicial activities.
Disclosures without patient authorization
• Covered entities could use and disclose protected health information without patient authorization for purposes of effecting treatment, payment, and health care operations. Individuals must be informed of the right to request restrictions concerning the use of protected health information for treatment, payment, or health care operations.
• Under specific conditions, covered entities are permitted to disclose protected health information:
— for: federal, state, and other health oversight activities;
— public health activities, and emergencies;
— judicial and administrative proceedings;
— to a law enforcement official with a warrant or subpoena;
— to provide information to next of kin;
— to coroners and medical examiners;
— for government health data systems;
— for purposes of hospital and other facility directory listings;
— for certain banking and payment processes;
— for health research.
Uses, disclosures with patient authorization
• Covered entities could use or disclose protected health information with the individual’s consent for lawful purposes. If an authorization would allow the covered entity to sell or barter information, that would have to be disclosed on the authorization form.
• Authorizations must specify the information to be disclosed, who would receive the information, and when the authorization would expire. Individuals could revoke an authorization at any time.
• Covered entities would be prohibited from conditioning treatment or payment upon an individual’s agreeing to authorize disclosure of information for other purposes.
HHS intends that these new privacy standards be flexible and scalable, taking into account each covered entity’s size and resources.
The regulation establishes a "floor" of privacy protections. State laws that are "less protective" of privacy are preempted, but states are free to enact "more stringent" statutes or regulations.
• Under HIPAA, the secretary is granted the authority to impose civil monetary penalties against those covered entities which fail to comply with the requirements of this regulation.
• HIPAA also established criminal penalties for certain wrongful disclosures of protected health information. These penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain.
• Civil monetary penalties are capped at $25,000 for each calendar year for each standard that is violated.
1. 99 Fed Reg 59917 (Nov. 3, 1999).