The Proposed Privacy Standards for Individually Identifiable Health Information ("Proposed Privacy Standards") were published by the Department of Health and Human Services ("DHHS") in the Federal Register on November 3, 1999 (64 Fed.Reg. 59917). It is expected that the Final Regulations will be released before the end of the calendar year 2000.

I.  Background to the Proposed Privacy Standards

1. HIPAA Requirement

 

The Proposed Privacy Standards were proposed by the Secretary of the DHHS in response to the requirement in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") that the Secretary promulgate a series of standards relating to the electronic exchange of health information, otherwise known as the Administrative Simplification provisions in HIPAA.

 

2. HIPAA Required Framework

 

The legislative authority in HIPAA to promulgate the regulations for the Proposed Privacy Standards contains the following limitations or important aspects:

1. A limited number of entities would be affected by the standards;

 

2. Certain enforcement provisions, including audits for compliance;

 

3. A private right of action for individuals whose privacy rights are violated; and

 

4. The Proposed Privacy Standards are applicable only to providers who engage in electronic administrative simplification transactions.

II.  General Overview of the Proposed Privacy Standards

                            (a) to carry out treatment, payment or health care operations; and

        (b) for certain national priority purposes, but only under defined circumstances.

 

1. A covered entity is required to disclose protected health information without individual authorization in two circumstances:

1. in response to a request by an individual to inspect, and obtain a copy of his or her protected health information; and

 

 

2. in connection with an enforcement action or compliance review brought by the Secretary of the DHHS pursuant to the proposed regulations.

1. Select Important Definitions

1. Covered Entity means one of the following:

 

1. Health Plan;

 

2. Health Care Clearinghouse; or

 

3. Health Care Provider who transmits any health information in electronic form in connection with a transaction covered by the proposed regulations.

1. Health Care Clearinghouse means "a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements." Examples in the regulations include billing services, repricing companies, and community health information systems;

3. Health Information means "any information, whether oral or recorded in any form or medium, that:

 

1. is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

 

2. relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

4. Business Partner means, with respect to a covered entity, "a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity." A "Business partner" includes contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. "Business partner" excludes persons who are within the covered entity’s workforce.

 

5. Designated Record Set means "a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol or other identifying particular assigned to the individual and which is used by the covered entity to make decisions about the individual." The term record means "any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a coverage entity."

 

6. Disclosure means "the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information."

 

1. Individually Identifiable Health Information is information that is a subset of health information, including demographic information collected from an individual, and that:

1. is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

 

2. relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and

1. Which identifies the individual, or

 

2. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

1. Protected Health Information means "individually identifiable health information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form."

1. For purposes of this definition,

1. "Electronically transmitted" includes information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, and "faxback" systems.

2. "Electronically maintained" means information stored by a computer or on any electronic medium from which information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media.

1. "Protected health information" excludes:

1. Individually identifiable health information in education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g: and

 

2. Individually identifiable health information of inmates of correctional facilities and detainees in detention facilities.

1. Use means the employment, application, utilization, examination, or analysis of information within an entity that holds the information.

1. Uses and Disclosures With Individual Authorization

Except in certain circumstances, covered entities are required to obtain an individual’s explicit consent before using or disclosing protected health information about that individual.

 

The proposed regulations discuss tow general situations in which individual authorization would be obtained, either it can be initiated at the individual’s request or be prompted by a covered entity’s request. The conditions governing the authorization differ depending on which situation is involved.

 

1. Requirement for Authorization Requested by Individuals. Proposed 45 CFR 164.508(c).

The individual requesting a use or disclosure must submit an authorization form to the covered entity. The form must:

 

1. provide a specific description of the information to be used or disclosed;

 

2. name the covered entity authorized to make the requested use or disclosure;

 

3. name the party to whom the covered entity may make the requested use or disclosure;

 

4. provide an expiration date;

 

5. be signed and dated; and

 

6. be in plain language if the model form in the proposed regulations is not used.

1. Requirements for Authorizations Requested by A Covered Entity. Proposed 45CFR 164.508(d).

Covered entities making a request are also required to obtain an authorization form. The authorization must meet the requirements for requests made by individuals and contain certain additional elements such as statements concerning:

 

1. the purpose for which the request was made;

 

2. the right of the individual to inspect or copy the information;

 

3. the right of the individual to refuse treatment; and

 

4. whether authorization will result in financial gain for the covered entity.

The covered entity is required to have procedures in place to limit the scope of the request to the minimum amount of information needed to achieve the purpose for which the information is requested.

 

3. An authorization made pursuant to either type of request is revocable at anytime. Proposed 45 CFR 164.508(e).

 

1. Uses and Disclosures for Treatment, Payment and Health Care Operations

Covered entities, except with limited exceptions, would be permitted to use and disclose protected health information without an individual’s authorization for treatment and payment purposes, and for related purposes that fall within the definition of health care operations. HHS stated that the terms "treatment" and "payment" should be construed broadly.

 

F. Permissible Uses and Disclosures for Purposes Other Than

Treatment, Payment and Health Care Operations

 

The Proposed Privacy Standards would permit the use or disclosure of health information without individual authorization for the following national priority activities and other activities that allow the health care system to operate smoothly:

 

• Oversight of the health care system

• Public health functions

• Research

• Judicial and administrative proceedings

• Law enforcement

• Emergency circumstances

• To provide information to next-of-kin

• For identification of the body of the deceased person, or the cause of death

• For government health data systems

• For facility patient directories

• To banks, to process health care payments and premiums

• For management of active duty military and other special classes of individuals

G. Individual Rights

 

1. Basic Rights

The Proposed Privacy Standards would establish the following "basic" rights for individuals with respect to their protected health information:

 

1. the right to notice of information practices;

 

2. the right to obtain access to protected health information, including the right to inspect and copy protected health information;

 

3. the right to receive an accounting of how an individual’s protected health information has been disclosed; and

 

4. the right to request amendment or correction of protected health information that is inaccurate or incomplete.

1. Right to Notice

The proposed regulations provide individuals with a right to an adequate notice of the information practices of covered health plans and health care providers.

 

This notice must include:

 

1. an explanation of the way the entity uses and discloses protected health information;

 

2. basic statements relating to individual rights, such as the disclosure of an individual’s right to access protected health information and the right of the covered entity to change its policies and procedures; and

 

3. the date the notice was produced.

Covered health plans and providers are required to update their notices when they make material changes to their information practices.

 

H. Administrative Requirements on Covered Entities

 

The Proposed Privacy Standards would require covered entities to:

 

1. designate a privacy official;

 

2. develop of a privacy training program for employees;

 

3. implement safeguards to protect health information from intentional or accidental misuse;

 

 

4. provide some means for individuals to lodge complaints about the covered entity’s information practices;

 

5. develop a system of sanctions for employees and business partners who violate the entity’s policies or procedures; and

 

6. maintain documentation of their policies and procedures for complying with the requirements of the proposed standards.

I. Preemption

 

The HIPAA provides that the rule Proposed Privacy Standards preempt state laws that are in conflict with the regulatory requirements that provide greater privacy protections. According to the DHHS, the Proposed Privacy Standards would create a federal floor of privacy protection, but would not supercede other applicable law that provide greater protection to the confidentiality of health information.

 

J. Compliance Enforcement

 

The Proposed Privacy Standards authorize the imposition of civil monetary penalties against covered entities that fail to comply with the requirements of the Standards. There are also criminal penalties for certain violations of the privacy and security regulations. Civil fines are capped at $25,000 for each calendar year for each provision that is violated..