The trusted source for
healthcare information and
Will you be ready when final draft is issued?
(Editor’s note: This article is adapted from several sources, including a summary on the Web site of the Health Privacy Project of the Institute for Health Care Research and Policy at Georgetown University in Washington, DC. The summary and interpretations of the rules by institute researchers can be accessed on the Web at www.healthprivacy.org.)
The 1996 Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect the privacy of patient medical records that are transmitted electronically. In October 1999, the Clinton administration issued a draft of its proposed HIPAA regulations and allowed for a 60-day comment period. More than 40,000 interested parties commented on the draft. Those comments are now being reviewed, and the federal government is expected to issue a final draft before the end of the year.
Here is a summary of the proposed HIPAA regulations:
• Who is covered?
— health plans;
— health care clearinghouses;
— health care providers who use computers to transmit health information.
• What is protected?
— information relating to a person’s physical or mental health care or the payment of health care services;
— information that identifies or could be used to identify the person who is the subject of the information;
— information created by or received from a covered entity;
— information electronically maintained or transmitted by a covered entity.
• What is a fair information practice?
— Covered parties may only use or disclose the minimum amount of protected health information necessary to accomplish the intended purpose.
— Regulations provide incentives for covered parties to create and use health information that has been stripped of information that could be used to identify individuals, such as Social Security numbers and names.
• What information can patients access?
— Patients have a right to see and copy their own health information, including documentation of who has had access to that information.
— Patients can request amendments or corrections of health information that is incorrect or incomplete.
— Patients may not access their own health information when access would endanger the life or safety of another individual.
• Who must be notified of privacy practices?
— Covered parties are required to provide written notice of their privacy practices, including a description of an individual’s rights in regard to protected health information, such as the individual’s right to inspect and copy health records.
— Covered parties are required to provide written notice of the anticipated uses and disclosures of this information that may be made without the patient’s written authorization.
• When is patient authorization not required?
— Covered parties and their business partners may use and disclose a patient’s protected health information in order to obtain payment for services, authorize treatment, and for health care operations such as quality assessment, performance review, training programs, and audits.
• When is patient authorization required?
— Patient authorization is required for any purpose other than treatment, payment, and health care operations.
— Patient authorization must be voluntary.
— Covered parties may not condition treatment or payment on whether a patient authorizes release of protected information.
— Patients must be notified if the covered entity may profit from the use or disclosure of protected information.
• What special rules address mental health records?
— Separate voluntary authorization is required for the use and disclosure of psychotherapy notes.
— Patients cannot be refused psychiatric treatment, enrollment in a health plan, or payment of a claim for refusal to authorize disclosure of mental health information.
• What information may be disclosed for judicial and administrative hearings?
— Covered parties may disclose protected information in judicial and administrative hearings only if the request for information is made through or relates directly to a court order.
— This rule does not apply when information requested relates to a party to the proceeding whose health condition is at issue.
• Which public agencies may access protected information?
— Covered parties may disclose protected information to public oversight agencies without individual authorization by patients for activities such as audits.
• What special rights do minors have?
— Individuals under the age of 18 who have the legal capacity to obtain health care on their own have the same rights as an adult with regard to their health information.
— Current state laws regarding parents and minors also apply. In states where parents have a legal right to access health care information, they retain that right.
• What rules govern information used for research purposes?
— Covered parties may disclose protected information without individual authorization only to researchers whose protocol has been reviewed and approved by a "privacy board."
• What rules govern information requested by law enforcement officials?
— Covered parties may disclose protected information without individual authorization to law enforcement officials pursuant to a warrant, subpoena, or order issued by a judicial officer or grand jury.
— Covered parties may disclose protected information without individual authorization pursuant to an administrative subpoena or summons, civil investigative demand, or similar certification if the information is relevant, the request is specific, and de-identified information could not be reasonably used for the same purposes.
— Covered parties may disclose protected information without individual authorization for purposes of identifying a suspect, fugitive, material witness, or missing person.
— Covered parties may disclose protected information when the covered entity believes in good faith that the information relates to health care fraud.
• What rules govern state public health laws?
— Covered parties may disclose protected information for public health purposes as required by state laws, such as reporting of disease or injuries, collecting vital statistics, public health surveillance, and public health investigations or interventions.
• What penalties may the government issue for HIPAA violations?
— Civil monetary penalties of $100 per violation up to a cap of $25,000 annually may be levied against covered parties that fail to comply with the HIPAA rules.
— A criminal penalty of up to $250,000 and 10 years in prison for information obtained under false pretenses or with the intent to sell the information for commercial advantage.
• When can the HIPAA rules be preempted?
— State laws that are more protective of individual privacy than HIPAA will stand.
— States may pass stronger laws in the future.
— HIPAA serves as a minimum baseline for privacy protections and allows states to maintain and enact stronger health information privacy laws.
(For information on what HIPAA means for Internet health care applications, see p. 93.)