The Privacy Rule defines a series of privacy standards required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Congress stated that the purpose of the HIPAA was to improve portability and continuity of health insurance coverage; to combat waste, fraud, and abuse in health insurance and healthcare delivery; to promote the use of Medical Savings Accounts; to improve access to long-term care services and coverage; and to simplify the administration of health insurance.
One section of HIPAA required the Secretary of Health and Human Services Department (HHS) to develop and submit to Congress recommendations for the following:
- Privacy rights for protecting the individually identifiable health information of patients
- Procedures that are needed for the exercise of such privacy rights
- The uses and disclosures of health information that should be authorized or required.
The HHS Secretary's recommendations were submitted to Congress in 1997. In part, these recommendations stated that:
If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by (August 21, 1999), the Secretary of Health and Human Services shall promulgate final regulations containing such standards. . .
Since Congress did not enact further legislation regarding the privacy of individually identifiable health information by the specified deadline, HHS published proposed rules setting forth medical privacy standards in the federal register on November 3, 2001 (64 FP, 59918).
In the process of releasing the proposed regulations, the HHS sought to work closely with the healthcare industry to define guidelines that were workable and feasible. The agency received and considered over 1700 comments from industry representatives and practitioners. In response to these continents, HHS sought to achieve a balance between individual privacy concerns and the various legitimate uses and disclosures of health information that occur in the healthcare industry.
Its goal was to define a regulation that described a set of basic consumer protections and a series of regulatory permissions for use and disclosure of health information. According to FIHS, the protections are a mandatory floor, which other governments and any covered entity may exceed. The permissions are just that, permissive--the only disclosures of health information required under this rule are to the individual who is the subject of the information or to the Secretary for enforcement of this rule. Covered entities are expected to rely on their professional ethics and use their own best judgment in deciding which of these permissions they will use.
The Privacy Rule establishes national minimum standards to protect the privacy of individually identifiable health information in prescribed settings. The standards address the many uses and disclosures of individually identifiable health information by health plans, certain healthcare providers and healthcare clearing houses. The complexity of the standards reflects the complexity of the healthcare marketplace to which they apply and the variety of subjects that must be addressed. This rule applies not only to the core healthcare functions relating to treating patients and reimbursing healthcare providers, but also to activities that range from when individually identifiable health information should be available for research without authorization to whether a healthcare provider may release protected health information about a patient for law enforcement purposes.
Highlights of the Privacy Rule
The Standards for Privacy of Individually Identifiable Health Information took effect on April 14, 2001. Most covered entities had until April 14, 2003 to comply with the regulations. Small health plans have until April 14, 2004 to comply. Definitions distinguishing large and small entities under the regulations appear later in this section.
Covered entities include public and private sector entities that transmit health information in electronic form, such as health plans, healthcare clearing houses, healthcare providers, and organizations or individuals that provide certain financial or administrative transactions involving use or disclosure of individually identifiable protected health information. Portions of the definitions of covered entities appear later in this section. Covered entities can include:
- Primary physicians
- Consulting physicians
- Managed care organizations
- Health insurance companies
- Life insurance companies
- Self-insured employers
- Pharmacy benefit managers
- Clinical laboratories
- Accrediting organizations
- Medical information bureaus
- Business services
- Governmental units or agencies
- Other organizations handling protected health information.
The privacy protections apply to all medical records; and other individually identifiable health information used or disclosed by a covered entity in any form, whether stored or communicated electronically, on paper, or orally.
New Rights for Patients
Notice Requirements. The Privacy Rule defines new rights for patients, allowing greater consumer control over health information. Healthcare providers, health plans and other covered entities must give patients a clear written explanation describing how the organization may use and disclose their health information. This explanation is referred to as "Notice."
Consent. In addition, healthcare providers who see patients may obtain patient consent before sharing their information for treatment, payment, or other healthcare operations.
Authorization. Further, a separate written authorization must be obtained by the covered entity for any non-routine disclosure and for most disclosures made for non-health reasons.
Rights. In addition to the provisions for notice, consent, and authorization described above, patients also have a right to:
- See and get copies of their own medical records, subject to certain exceptions
- Request an amendment to their medical record if they believe there is an error
- Request a summary or history of non-routine disclosures
- Request restrictions on uses and disclosures of health information
- File a complaint with the covered entity or the HHS if they feel that their medical privacy rights were violated.
New Responsibilities for Covered Entities
The organizations covered by the regulations must establish privacy safeguards to comply with the regulations and to protect against unauthorized disclosures of protected information.
The privacy procedures must define the covered entity's practices regarding Business Associates that provide support services to ensure that these organizations also observe proper privacy protections.
The covered entity is responsible for making sure that health information is not used for non-health purposes. Certain non-health disclosures are permitted solely upon explicit written authorization from the patient. Further, disclosures of information must be limited to the minimum necessary to achieve the purpose of the disclosure. Disclosure of information is permissible when necessary to comply with the law.
Guidelines are provided relating to disclosures for marketing purposes, research purposes, consent for care of minors, emergency circumstances, public health needs, and legal proceedings.
The Office of Civil Rights of the Department of Health and Human Services is responsible for enforcing the regulations. Covered entities are obligated to cooperate with government enforcement efforts and to supply information as requested. Violations may be subject to civil penalties and to federal criminal penalties.
Civil Liability. Health plans, healthcare providers and clearinghouses that violate the standards will be subject to civil liability. The law defines civil money penalties at $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
Criminal Penalties. Under HIPAA, entities or individuals are subject to criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information in violation of the standard; up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
Return to the Book