Welcome to Smg
|
|
|
|
HIPAA Services Take the Complete HIPAA Compliancy Test This information reprinted from the Medicare Part B New Issue 186[Federal Register: December 28, 2000 (Volume 65,
Number 250)]
[Rules and Regulations]
[Page 82461-82510]
[DOCID:fr28de00-29]
BILLING CODE: 4150-04M DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 through 164
Rin: 0991-AB08
Standards for Privacy of Individually Identifiable
Health Information
AGENCY: Office of the Assistant Secretary for Planning and Evaluation, DHHS. ACTION: Final rule. SUMMARY:
This rule includes standards to protect the privacy of individually identifiable
health information. The rules below, which apply to health plans, health care
clearinghouses, and certain health care providers, present standards with
respect to the rights of individuals who are the subjects of this information,
procedures for the exercise of those rights, and the authorized and required
uses and disclosures of this information. The
use of these standards will improve the efficiency and effectiveness of public
and private health programs and health care services by providing enhanced
protections for individually identifiable health information. These protections
will begin to address growing public concerns that advances in electronic
technology and evolution in the health care industry are resulting, or may
result, in a substantial erosion of the privacy surrounding individually
identifiable health information maintained by health care providers, health
plans and their administrative contractors. This rule implements the privacy
requirements of the Administrative Simplification subtitle of the Health
Insurance Portability and Accountability Act of 1996. DATES:
The final rule is effective on February 26, 2001. FOR
FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-866-627-7748)
or TTY 1-866-788-4989. SUPPLEMENTARY INFORMATION:
Availability of copies, and electronic
access.
Copies:
To order copies of the Federal Register containing this document, send
your request to: New Orders, Superintendent of Documents, P.O. Box 371954,
Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a
check or money order payable to the Superintendent of Documents, or enclose your
Visa or Master Card number and expiration date. Credit card orders can also be
placed by calling the order desk at (202) 512-1800 or by fax to (202) 512-2250.
The cost for each copy is $8.00. As an alternative, you can view and photocopy
the Federal Register document at most libraries designated as Federal
Depository Libraries and at many other public and academic libraries throughout
the country that receive the Federal Register. Electronic
Access: This
document is available electronically at http://aspe.hhs.gov/admnsimp/
as well as at the web site of the Government Printing Office at http://www.access.gpo.gov/su_docs/aces/
aces140.html. I. BACKGROUND
Table of Contents
160.101
Statutory basis and purpose. 160.102
Applicability. 160.103
Definitions. 160.104
Modifications. 160.201
Applicability 160.202
Definitions. 160.203
General rule and exceptions. 160.204
Process for requesting exception determinations. 160.205
Duration of effectiveness of exception determinations. 160.300
Applicability. 160.302
Definitions. 160.304
Principles for achieving compliance. (a)
Cooperation. (b)
Assistance. 160.306
Complaints to the Secretary. (a)
Right to file a complaint. (b)
Requirements for filing complaints. (c)
Investigation. 160.308
Compliance reviews. 160.310
Responsibilities of covered entities. (a)
Provide records and compliance reports. (b)
Cooperate with complaint investigations and compliance reviews. (c)
Permit access to information. 160.312
Secretarial action regarding complaints and compliance reviews. (a)
Resolution where noncompliance is indicated. (b)
Resolution when no violation is found. 164.102
Statutory basis. 164.104
Applicability. 164.106
Relationship to other parts. 164.500
Applicability. 164.501
Definitions. 164.502
Uses and disclosures of protected health information: general rules. (a)
Standard. (b)
Standard: minimum necessary. (c)
Standard: uses and disclosures of protected health information subject to an
agreed upon restriction. (d)
Standard: uses and disclosures of de-identified protected health information. (e)
Standard: disclosures to business associates. (f)
Standard: deceased individuals. (g)
Standard: personal representatives. (h)
Standard: confidential communications. (i)
Standard: uses and disclosures consistent with notice. (j)
Standard: disclosures by whistleblowers and workforce member crime victims. 164.504
Uses and disclosures: organizational requirements. (a)
Definitions. (b)
Standard: health care component. (c)
Implementation specification: application of other provisions. (d)
Standard: affiliated covered entities. (e)
Standard: business associate contracts. (f)
Standard: requirements for group health plans. (g)
Standard: requirements for a covered entity with multiple covered functions. 164.506
Consent for uses or disclosures to carry out treatment, payment, or health care
operations. (a)
Standard: consent requirement. (b)
Implementation specifications: general requirements. (c)
Implementation specifications: content requirements. (d)
Implementation specifications: defective consents. (e)
Standard: resolving conflicting consents and authorizations. (f)
Standard: joint consents. 164.508
Uses and disclosures for which an authorization is required. (a)
Standard: authorizations for uses and disclosures. (b)
Implementation specifications: general requirements. (c)
Implementation specifications: core elements and requirements. (d)
Implementation specifications: authorizations requested by a covered entity for
its own uses and disclosures. (e)
Implementation specifications: authorizations requested by a covered entity for
disclosures by others. (f)
Implementation specifications: authorizations for uses and disclosures of
protected health information created for research that includes treatment of the
individual. 164.510
Uses and disclosures requiring an opportunity for the individual to agree or to
object. (a)
Standard: use and disclosure for facility directories. (b)
Standard: uses and disclosures for involvement in the individual's care and
notification purposes. 164.512
Uses and disclosures for which consent, an authorization, or opportunity to
agree or object is not required. (a)
Standard: uses and disclosures required by law. (b)
Standard: uses and disclosures for public health activities. (c)
Standard: disclosures about victims of abuse, neglect or domestic violence. (d)
Standard: uses and disclosures for health oversight activities. (e)
Standard: disclosures for judicial and administrative proceedings. (f)
Standard: disclosures for law enforcement purposes. (g)
Standard: uses and disclosures about decedents. (h)
Standard: uses and disclosures for cadaveric organ, eye or tissue donation
purposes. (i)
Standard: uses and disclosures for research purposes. (j)
Standard: uses and disclosures to avert a serious threat to health or safety. (k)
Standard: uses and disclosures for specialized government functions. (l)
Standard: disclosures for workers' compensation. 164.514
Other requirements relating to uses and disclosures of protected health
information. (a)
Standard: de-identification of protected health information. (b)
Implementation specifications: requirements for de-identification of protected
health information. (c)
Implementation specifications: re-identification. (d)
Standard: minimum necessary requirements. (e)
Standard: uses and disclosures of protected health information for marketing. (f)
Standard: uses and disclosures for fundraising. (g)
Standard: uses and disclosures for underwriting and related purposes. (h)
Standard: verification requirements 164.520
Notice of privacy practices for protected health information. (a)
Standard: notice of privacy practices. (b)
Implementation specifications: content of notice. (c)
Implementation specifications: provision of notice. (d)
Implementation specifications: joint notice by separate covered entities. (e)
Implementation specifications: documentation. 164.522
Rights to request privacy protection for protected health information. (a)
Standard: right of an individual to request restriction of uses and disclosures. (b)
Standard: confidential communications requirements. 164.524
Access of individuals to protected health information. (a)
Standard: access to protected health information. (b)
Implementation specifications: requests for access and timely action. (c)
Implementation specifications: provision of access. (d)
Implementation specifications: denial of access. (e)
Implementation specification: documentation. 164.526
Amendment of protected health information. (a)
Standard: right to amend. (b)
Implementation specifications: requests for amendment and timely action. (c)
Implementation specifications: accepting the amendment. (d)
Implementation specifications: denying the amendment. (e)
Implementation specification: actions on notices of amendment. (f)
Implementation specification: documentation. 164.528
Accounting of disclosures of protected health information. (a)
Standard: right to an accounting of disclosures of protected health information. (b)
Implementation specifications: content of the accounting. (c)
Implementation specifications: provision of the accounting. (d)
Implementation specification: documentation. 164.530
Administrative requirements. (a)
Standard: personnel designations. (b)
Standard: training. (c)
Standard: safeguards. (d)
Standard: complaints to the covered entity. (e)
Standard: sanctions (f)
Standard: mitigation. (g)
Standard: refraining from intimidating or retaliatory acts. (h)
Standard: waiver of rights. (i)
Standard: policies and procedures. (j)
Standard: documentation. (k)
Standard: group health plans. 164.532
Transition provisions. (a)
Standard: effect of prior consents and authorizations. (b)
Implementation specification: requirements for retaining effectiveness of prior
consents and authorizations. 164.534
Compliance dates for initial implementation of the privacy standards. (a)
Health care providers. (b)
Health plans. (c)
Health care clearinghouses.
Purpose of the Administrative Simplification
Regulations
This
regulation has three major purposes:
This
regulation is the second final regulation to be issued in the package of rules
mandated under Title II Subtitle F Section 261-264 of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, titled
"Administrative Simplification." Congress called for steps to improve
"the efficiency and effectiveness of the health care system by encouraging
the development of a health information system through the establishment of
standards and requirements for the electronic transmission of certain health
information." To achieve that end, Congress required the Department to
promulgate a set of interlocking regulations establishing standards and
protections for health information systems. The first regulation in this set,
Standards for Electronic Transactions 65 FR 50312, was published on August 17,
2000 (the "Transactions Rule"). This regulation establishing Standards
for Privacy of Individually Identifiable Health Information is the second final
rule in the package. A rule establishing a unique identifier for employers to
use in electronic health care transactions, a rule establishing a unique
identifier for providers for such transactions, and a rule establishing
standards for the security of electronic information systems have been proposed.
See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June 16, 1998); 63 FR
43242 (August 12, 1998). Still to be proposed are rules establishing a unique
identifier for health plans for electronic transactions, standards for claims
attachments, and standards for transferring among health plans appropriate
standard data elements needed for coordination of benefits. (See section C,
below, for a more detailed explanation of the statutory mandate for these
regulations.) In
enacting HIPAA, Congress recognized the fact that administrative simplification
cannot succeed if we do not also protect the privacy and confidentiality of
personal health information. The provision of high-quality health care requires
the exchange of personal, often-sensitive information between an individual and
a skilled practitioner. Vital to that interaction is the patient's ability to
trust that the information shared will be protected and kept confidential. Yet
many patients are concerned that their information is not protected. Among the
factors adding to this concern are the growth of the number of organizations
involved in the provision of care and the processing of claims, the growing use
of electronic information technology, increased efforts to market health care
and other products to consumers, and the increasing ability to collect highly
sensitive information about a person's current and future health status as a
result of advances in scientific research. Rules
requiring the protection of health privacy in the United States have been
enacted primarily by the states. While virtually every state has enacted one or
more laws to safeguard privacy, these laws vary significantly from state to
state and typically apply to only part of the health care system. Many states
have adopted laws that protect the health information relating to certain health
conditions such as mental illness, communicable diseases, cancer, HIV/AIDS, and
other stigmatized conditions. An examination of state health privacy laws and
regulations, however, found that "state laws, with a few notable
exceptions, do not extend comprehensive protections to people's medical
records." Many state rules fail to provide such basic protections as
ensuring a patient's legal right to see a copy of his or her medical record. See
Health Privacy Project, "The State of Health Privacy: An Uneven
Terrain," Institute for Health Care Research and Policy, Georgetown
University (July 1999) (http://www.healthprivacy.org)
(the "Georgetown Study"). Until
now, virtually no federal rules existed to protect the privacy of health
information and guarantee patient access to such information. This final rule
establishes, for the first time, a set of basic national privacy standards and
fair information practices that provides all Americans with a basic level of
protection and peace of mind that is essential to their full participation in
their care. The rule sets a floor of ground rules for health care providers,
health plans, and health care clearinghouses to follow, in order to protect
patients and encourage them to seek needed care. The rule seeks to balance the
needs of the individual with the needs of the society. It creates a framework of
protection that can be strengthened by both the federal government and by states
as health information systems continue to evolve. Need for a National Health Privacy Framework
The Importance of Privacy
Privacy
is a fundamental right. As such, it must be viewed differently than any ordinary
economic good. The costs and benefits of a regulation must, of course, be
considered as a means of identifying and weighing options. At the same time, it
is important not to lose sight of the inherent meaning of privacy: it speaks to
our individual and collective freedom. A
right to privacy in personal information has historically found expression in
American law. All fifty states today recognize in tort law a common law or
statutory right to privacy. Many states specifically provide a remedy for public
revelation of private facts. Some states, such as California and Tennessee, have
a right to privacy as a matter of state constitutional law. The multiple
historical sources for legal rights to privacy are traced in many places,
including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen
Alderman & Caroline Kennedy, The Right to Privacy (1995). Throughout
our nation's history, we have placed the rights of the individual at the
forefront of our democracy. In the Declaration of Independence, we asserted the
"unalienable right" to "life, liberty and the pursuit of
happiness." Many of the most basic protections in the Constitution of the
United States are imbued with an attempt to protect individual privacy while
balancing it against the larger social purposes of the nation. To
take but one example, the Fourth Amendment to the United States Constitution
guarantees that "the right of the people to be secure in their persons,
houses, papers and effects, against unreasonable searches and seizures, shall
not be violated." By referring to the need for security of
"persons" as well as "papers and effects" the Fourth
Amendment suggests enduring values in American law that relate to privacy. The
need for security of "persons" is consistent with obtaining patient
consent before performing invasive medical procedures. The need for security in
"papers and effects" underscores the importance of protecting
information about the person, contained in sources such as personal diaries,
medical records, or elsewhere. As is generally true for the right of privacy in
information, the right is not absolute. The test instead is what constitutes an
"unreasonable" search of the papers and effects. The
United States Supreme Court has upheld the constitutional protection of personal
health information. In Whalen v. Roe, 429 U.S. 589 (1977), the Court
analyzed a New York statute that created a database of persons who obtained
drugs for which there was both a lawful and unlawful market. The Court, in
upholding the statute, recognized at least two different kinds of interests
within the constitutionally protected "zone of privacy." "One is
the individual interest in avoiding disclosure of personal matters," such
as this regulation principally addresses. This interest in avoiding disclosure,
discussed in Whalen in the context of medical information, was found to
be distinct from a different line of cases concerning "the interest in
independence in making certain kinds of important decisions." Individuals'
right to privacy in information about themselves is not absolute. It does not,
for instance, prevent reporting of public health information on communicable
diseases or stop law enforcement from getting information when due process has
been observed. But many people believe that individuals should have some right
to control personal and sensitive information about themselves. Among different
sorts of personal information, health information is among the most sensitive.
Many people believe that details about their physical self should not generally
be put on display for neighbors, employers, and government officials to see.
Informed consent laws place limits on the ability of other persons to intrude
physically on a person's body. Similar concerns apply to intrusions on
information about the person. Moving
beyond these facts of physical treatment, there is also significant intrusion
when records reveal details about a person's mental state, such as during
treatment for mental health. If, in Justice Brandeis' words, the "right to
be let alone" means anything, then it likely applies to having outsiders
have access to one's intimate thoughts, words, and emotions. In the recent case
of Jaffee v. Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held
that statements made to a therapist during a counseling session were protected
against civil discovery under the Federal Rules of Evidence. The Court noted
that all fifty states have adopted some form of the psychotherapist-patient
privilege. In upholding the federal privilege, the Supreme Court stated that it
"serves the public interest by facilitating the appropriate treatment for
individuals suffering the effects of a mental or emotional problem. The mental
health of our citizenry, no less than its physical health, is a public good of
transcendent importance." Many
writers have urged a philosophical or common-sense right to privacy in one's
personal information. Examples include Alan Westin, Privacy and Freedom
(1967) and Janna Malamud Smith, Private Matters: In Defense of the Personal
Life (1997). These writings emphasize the link between privacy and freedom
and privacy and the "personal life," or the ability to develop one's
own personality and self-expression. Smith, for instance, states: The
bottom line is clear. If we continually, gratuitously, reveal other people's
privacies, we harm them and ourselves, we undermine the richness of the personal
life, and we fuel a social atmosphere of mutual exploitation. Let me put it
another way: Little in life is as precious as the freedom to say and do things
with people you love that you would not say or do if someone else were present.
And few experiences are as fundamental to liberty and autonomy as maintaining
control over when, how, to whom, and where you disclose personal material. Id.
at 240-241. In
1890, Louis D. Brandeis and Samuel D. Warren defined the right to privacy as
"the right to be let alone." See L. Brandeis, S. Warren, "The
Right To Privacy," 4 Harv.L.Rev. 193. More than a century later, privacy
continues to play an important role in Americans' lives. In their book, The
Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman and
Caroline Kennedy describe the importance of privacy in this way: Privacy
covers many things. It protects the solitude necessary for creative thought. It
allows us the independence that is part of raising a family. It protects our
right to be secure in our own homes and possessions, assured that the government
cannot come barging in. Privacy also encompasses our right to self-determination
and to define who we are. Although we live in a world of noisy self-confession,
privacy allows us to keep certain facts to ourselves if we so choose. The right
to privacy, it seems, is what makes us civilized. Or,
as Cavoukian and Tapscott observed the right of privacy is: "the claim of
individuals, groups, or institutions to determine for themselves when, how, and
to what extent information about them is communicated." See A. Cavoukian,
D. Tapscott, "Who Knows: Safeguarding Your Privacy in a Networked
World," Random House (1995). Increasing Public Concern About Loss of
Privacy
Today,
it is virtually impossible for any person to be truly "let alone." The
average American is inundated with requests for information from potential
employers, retail shops, telephone marketing firms, electronic marketers, banks,
insurance companies, hospitals, physicians, health plans, and others. In a 1998
national survey, 88 percent of consumers said they were "concerned" by
the amount of information being requested, including 55 percent who said they
were "very concerned." See Privacy and American Business, 1998
Privacy Concerns & Consumer Choice Survey (http://www.pandab.org)
These worries are not just theoretical. Consumers who use the Internet to make
purchases or request "free" information often are asked for personal
and financial information. Companies making such requests routinely promise to
protect the confidentiality of that information. Yet several firms have tried to
sell this information to other companies even after promising not to do so. Americans'
concern about the privacy of their health information is part of a broader
anxiety about their lack of privacy in an array of areas. A series of national
public opinion polls conducted by Louis Harris & Associates documents a
rising level of public concern about privacy, growing from 64 percent in 1978 to
82 percent in 1995. Over 80 percent of persons surveyed in 1999 agreed with the
statement that they had "lost all control over their personal
information." See Harris Equifax, Health Information Privacy Study (1993)
(http://www.epic.org/privacy/medical/polls.html).
A Wall Street Journal/ABC poll on September 16, 1999 asked Americans what
concerned them most in the coming century. "Loss of personal privacy"
was the first or second concern of 29 percent of respondents. All other issues,
such a terrorism, world war, and global warming had scores of 23 percent or
less. This
growing concern stems from several trends, including the growing use of
interconnected electronic media for business and personal activities, our
increasing ability to know an individual's genetic make-up, and, in health care,
the increasing complexity of the system. Each of these trends brings the
potential for tremendous benefits to individuals and society generally. At the
same time, each also brings new potential for invasions of our privacy. Increasing Use of Interconnected
Electronic Information Systems
Until
recently, health information was recorded and maintained on paper and stored in
the offices of community-based physicians, nurses, hospitals, and other health
care professionals and institutions. In some ways, this imperfect system of
record keeping created a false sense of privacy among patients, providers, and
others. Patients' health information has never remained completely confidential.
Until recently, however, a breach of confidentiality involved a physical
exchange of paper records or a verbal exchange of information. Today, however,
more and more health care providers, plans, and others are utilizing electronic
means of storing and transmitting health information. In 1996, the health care
industry invested an estimated $10 billion to $15 billion on information
technology. See National Research Council, Computer Science and
Telecommunications Board, "For the Record: Protecting Electronic Health
Information," (1997). The electronic information revolution is transforming
the recording of health information so that the disclosure of information may
require only a push of a button. In a matter of seconds, a person's most
profoundly private information can be shared with hundreds, thousands, even
millions of individuals and organizations at a time. While the majority of
medical records still are in paper form, information from those records is often
copied and transmitted through electronic means. This
ease of information collection, organization, retention, and exchange made
possible by the advances in computer and other electronic technology affords
many benefits to individuals and to the health care industry. Use of electronic
information has helped to speed the delivery of effective care and the
processing of billions of dollars worth of health care claims. Greater use of
electronic data has also increased our ability to identify and treat those who
are at risk for disease, conduct vital research, detect fraud and abuse, and
measure and improve the quality of care delivered in the U.S. The National
Research Council recently reported that "the Internet has great potential
to improve Americans' health by enhancing communications and improving access to
information for care providers, patients, health plan administrators, public
health officials, biomedical researchers, and other health professionals."
See "Networking Health: Prescriptions for the Internet," National
Academy of Sciences (2000). At
the same time, these advances have reduced or eliminated many of the financial
and logistical obstacles that previously served to protect the confidentiality
of health information and the privacy interests of individuals. And they have
made our information available to many more people. The shift from paper to
electronic records, with the accompanying greater flows of sensitive health
information, thus strengthens the arguments for giving legal protection to the
right to privacy in health information. In an earlier period where it was far
more expensive to access and use medical records, the risk of harm to
individuals was relatively low. In the potential near future, when technology
makes it almost free to send lifetime medical records over the Internet, the
risks may grow rapidly. It may become cost-effective, for instance, for
companies to offer services that allow purchasers to obtain details of a
person's physical and mental treatments. In addition to legitimate possible uses
for such services, malicious or inquisitive persons may download medical records
for purposes ranging from identity theft to embarrassment to prurient interest
in the life of a celebrity or neighbor. The comments to the proposed privacy
rule indicate that many persons believe that they have a right to live in
society without having these details of their lives laid open to unknown and
possibly hostile eyes. These technological changes, in short, may provide a
reason for institutionalizing privacy protections in situations where the risk
of harm did not previously justify writing such protections into law. The
growing level of trepidation about privacy in general, noted above, has tracked
the rise in electronic information technology. Americans have embraced the use
of the Internet and other forms of electronic information as a way to provide
greater access to information, save time, and save money. For example, 60
percent of Americans surveyed in 1999 reported that they have a computer in
their home; 82 percent reported that they have used a computer; 64 percent say
they have used the Internet; and 58 percent have sent an e-mail. Among those who
are under the age of 60, these percentages are even higher. See "National
Survey of Adults on Technology," Henry J. Kaiser Family Foundation
(February, 2000). But 59 percent of Americans reported that they worry that an
unauthorized person will gain access to their information. A recent survey
suggests that 75 percent of consumers seeking health information on the Internet
are concerned or very concerned about the health sites they visit sharing their
personal health information with a third party without their permission. Ethics
Survey of Consumer Attitudes about Health Web Sites, California Health Care
Foundation, at 3 (January, 2000). Unless
public fears are allayed, we will be unable to obtain the full benefits of
electronic technologies. The absence of national standards for the
confidentiality of health information has made the health care industry and the
population in general uncomfortable about this primarily financially-driven
expansion in the use of electronic data. Many plans, providers, and
clearinghouses have taken steps to safeguard the privacy of individually
identifiable health information. Yet they must currently rely on a patchwork of
State laws and regulations that are incomplete and, at times, inconsistent.
States have, to varying degrees, attempted to enhance confidentiality by
establishing laws governing at least some aspects of medical record privacy.
This approach, though a step in the right direction, is inadequate. These laws
fail to provide a consistent or comprehensive legal foundation of health
information privacy. For example, there is considerable variation among the
states in the type of information protected and the scope of the protections
provided. See Georgetown Study, at Executive Summary; Lawrence O. Gostin, Zita
Lazzarrini, Kathleen M. Flaherty, Legislative Survey of State
Confidentiality Laws, with Specific Emphasis on HIV and Immunization,
Report to Centers for Disease Control, Council of State and Territorial
Epidemiologists, and Task Force for Child Survival and Development, Carter
Presidential Center (1996) (Gostin Study). Moreover,
electronic health data is becoming increasingly "national"; as more
information becomes available in electronic form, it can have value far beyond
the immediate community where the patient resides. Neither private action nor
state laws provide a sufficiently comprehensive and rigorous legal structure to
allay public concerns, protect the right to privacy, and correct the market
failures caused by the absence of privacy protections (see discussion below of
market failure under section V.C). Hence, a national policy with consistent
rules is necessary to encourage the increased and proper use of electronic
information while also protecting the very real needs of patients to safeguard
their privacy. Advances in Genetic Sciences
Recently,
scientists completed nearly a decade of work unlocking the mysteries of the
human genome, creating tremendous new opportunities to identify and prevent many
of the leading causes of death and disability in this country and around the
world. Yet the absence of privacy protections for health information endanger
these efforts by creating a barrier of distrust and suspicion among consumers. A
1995 national poll found that more than 85 percent of those surveyed were either
"very concerned" or "somewhat concerned" that insurers and
employers might gain access to and use genetic information. See Harris Poll,
1995 #34. Sixty-three percent of the 1,000 participants in a 1997 national
survey said they would not take genetic tests if insurers and employers could
gain access to the results. See "Genetic Information and the
Workplace," Department of Labor, Department of Health and Human Services,
Equal Employment Opportunity Commission, January 20, 1998. "In genetic
testing studies at the National Institutes of Health, thirty-two percent of
eligible people who were offered a test for breast cancer risk declined to take
it, citing concerns about loss of privacy and the potential for discrimination
in health insurance." Sen. Leahy's comments for March 10, 1999 Introduction
of the Medical Information Privacy and Security Act. The Changing Health Care System
The
number of entities who are maintaining and transmitting individually
identifiable health information has increased significantly over the last 10
years. In addition, the rapid growth of integrated health care delivery systems
requires greater use of integrated health information systems. The health care
industry has been transformed from one that relied primarily on one-on-one
interactions between patients and clinicians to a system of integrated health
care delivery networks and managed care providers. Such a system requires the
processing and collection of information about patients and plan enrollees (for
example, in claims files or enrollment records), resulting in the creation of
databases that can be easily transmitted. This dramatic change in the practice
of medicine brings with it important prospects for the improvement of the
quality of care and reducing the cost of that care. It also, however, means that
increasing numbers of people have access to health information. And, as health
plan functions are increasingly outsourced, a growing number of organizations
not affiliated with our physicians or health plans also have access to health
information. According
to the American Health Information Management Association (AHIMA), an average of
150 people "from nursing staff to x-ray technicians, to billing
clerks" have access to a patient's medical records during the course of a
typical hospitalization. While many of these individuals have a legitimate need
to see all or part of a patient's records, no laws govern who those people are,
what information they are able to see, and what they are and are not allowed to
do with that information once they have access to it. According to the National
Research Council, individually identifiable health information frequently is
shared with: •
Consulting physicians; •
Managed care organizations; •
Health insurance companies •
Life insurance companies; •
Self-insured employers; •
Pharmacies; •
Pharmacy benefit managers; •
Clinical laboratories; •
Accrediting organizations; •
State and Federal statistical agencies; and •
Medical information bureaus. Much
of this sharing of information is done without the knowledge of the patient
involved. While many of these functions are important for smooth functioning of
the health care system, there are no rules governing how that information is
used by secondary and tertiary users. For example, a pharmacy benefit manager
could receive information to determine whether an insurance plan or HMO should
cover a prescription, but then use the information to market other products to
the same patient. Similarly, many of us obtain health insurance coverage though
our employer and, in some instances, the employer itself acts as the insurer. In
these cases, the employer will obtain identifiable health information about its
employees as part of the legitimate health insurance functions such as claims
processing, quality improvement, and fraud detection activities. At the same
time, there is no comprehensive protection prohibiting the employer from using
that information to make decisions about promotions or job retention. Public
concerns reflect these developments. A 1993 Lou Harris poll found that 75
percent of those surveyed worry that medical information from a computerized
national health information system will be used for many non-health reasons, and
38 percent are very concerned. This poll, taken during the health reform efforts
of 1993, showed that 85 percent of respondents believed that protecting the
confidentiality of medical records is "absolutely essential" or
"very essential" in health care reform. An ACLU Poll in 1994 also
found that 75 percent of those surveyed are concerned a "great deal"
or a "fair amount"' about insurance companies putting medical
information about them into a computer information bank to which others have
access. Harris Equifax, Health Information Privacy Study 2,33 (1993) http://www.epic.org/privacy/medical/poll.html.
Another survey found that 35 percent of Fortune 500 companies look at people's
medical records before making hiring and promotion decisions. Starr, Paul.
"Health and the Right to Privacy," American Journal of Law and
Medicine, 1999. Vol 25, pp. 193-201. Concerns
about the lack of attention to information privacy in the health care industry
are not merely theoretical. In the absence of a national legal framework of
health privacy protections, consumers are increasingly vulnerable to the
exposure of their personal health information. Disclosure of individually
identifiable information can occur deliberately or accidentally and can occur
within an organization or be the result of an external breach of security.
Examples of recent privacy breaches include: •
A Michigan-based health system accidentally posted the medical records of
thousands of patients on the Internet (The Ann Arbor News, February 10, 1999). •
A Utah-based pharmaceutical benefits management firm used patient data to
solicit business for its owner, a drug store (Kiplingers, February 2000). •
An employee of the Tampa, Florida, health department took a computer disk
containing the names of 4,000 people who had tested positive for HIV, the virus
that causes AIDS (USA Today, October 10, 1996). •
The health insurance claims forms of thousands of patients blew out of a truck
on its way to a recycling center in East Hartford, Connecticut (The Hartford
Courant, May 14, 1999). •
A patient in a Boston-area hospital discovered that her medical record had been
read by more than 200 of the hospital's employees (The Boston Globe, August 1,
2000). •
A Nevada woman who purchased a used computer discovered that the computer still
contained the prescription records of the customers of the pharmacy that had
previously owned the computer. The pharmacy data base included names, addresses,
social security numbers, and a list of all the medicines the customers had
purchased. (The New York Times, April 4, 1997 and April 12, 1997). •
A speculator bid $4000 for the patient records of a family practice in South
Carolina. Among the businessman's uses of the purchased records was selling them
back to the former patients. (New York Times, August 14, 1991). •
In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5
million names and addresses of elderly incontinent women. (ACLU Legislative
Update, April 1998). •
A few weeks after an Orlando woman had her doctor perform some routine tests,
she received a letter from a drug company promoting a treatment for her high
cholesterol. (Orlando Sentinel, November 30, 1997). No
matter how or why a disclosure of personal information is made, the harm to the
individual is the same. In the face of industry evolution, the potential
benefits of our changing health care system, and the real risks and occurrences
of harm, protection of privacy must be built into the routine operations of our
health care system. Privacy is Necessary to Secure Effective,
High Quality Health Care
While
privacy is one of the key values on which our society is built, it is more than
an end in itself. It is also necessary for the effective delivery of health
care, both to individuals and to populations. The market failures caused by the
lack of effective privacy protections for health information are discussed below
(see section V.C below). Here, we discuss how privacy is a necessary foundation
for delivery of high quality health care. In short, the entire health care
system is built upon the willingness of individuals to share the most intimate
details of their lives with their health care providers. The
need for privacy of health information, in particular, has long been recognized
as critical to the delivery of needed medical care. More than anything else, the
relationship between a patient and a clinician is based on trust. The clinician
must trust the patient to give full and truthful information about their health,
symptoms, and medical history. The patient must trust the clinician to use that
information to improve his or her health and to respect the need to keep such
information private. In order to receive accurate and reliable diagnosis and
treatment, patients must provide health care professionals with accurate,
detailed information about their personal health, behavior, and other aspects of
their lives. The provision of health information assists in the diagnosis of an
illness or condition, in the development of a treatment plan, and in the
evaluation of the effectiveness of that treatment. In the absence of full and
accurate information, there is a serious risk that the treatment plan will be
inappropriate to the patient's situation. Patients
also benefit from the disclosure of such information to the health plans that
pay for and can help them gain access to needed care. Health plans and health
care clearinghouses rely on the provision of such information to accurately and
promptly process claims for payment and for other administrative functions that
directly affect a patient's ability to receive needed care, the quality of that
care, and the efficiency with which it is delivered. Accurate
medical records assist communities in identifying troubling public health trends
and in evaluating the effectiveness of various public health efforts. Accurate
information helps public and private payers make correct payments for care
received and lower costs by identifying fraud. Accurate information provides
scientists with data they need to conduct research. We cannot improve the
quality of health care without information about which treatments work, and
which do not. Individuals
cannot be expected to share the most intimate details of their lives unless they
have confidence that such information will not be used or shared
inappropriately. Privacy violations reduce consumers' trust in the health care
system and institutions that serve them. Such a loss of faith can impede the
quality of the health care they receive, and can harm the financial health of
health care institutions. Patients
who are worried about the possible misuse of their information often take steps
to protect their privacy. Recent studies show that a person who does not believe
his privacy will be protected is much less likely to participate fully in the
diagnosis and treatment of his medical condition. A national survey conducted in
January 1999 found that one in five Americans believe their health information
is being used inappropriately. See California HealthCare Foundation,
"National Survey: Confidentiality of Medical Records"(January, 1999) (http://www.chcf.org).
More troubling is the fact that one in six Americans reported that they have
taken some sort of evasive action to avoid the inappropriate use of their
information by providing inaccurate information to a health care provider,
changing physicians, or avoiding care altogether. Similarly, in its comments on
our proposed rule, the Association of American Physicians and Surgeons reported
78 percent of its members reported withholding information from a patient's
record due to privacy concerns and another 87 percent reported having had a
patient request to withhold information from their records. For an example of
this phenomenon in a particular demographic group, see Drs. Bearman, Ford, and
Moody, "Foregone Health Care among Adolescents," JAMA, vol.
282, no. 23 (999); Cheng, T.L., et al., "Confidentiality in Health Care: A
Survey of Knowledge, Perceptions, and Attitudes among High School
Students," JAMA, vol. 269, no. 11 (1993), at 1404-1407. The
absence of strong national standards for medical privacy has widespread
consequences. Health care professionals who lose the trust of their patients
cannot deliver high-quality care. In 1999, a coalition of organizations
representing various stakeholders including health plans, physicians, nurses,
employers, disability and mental health advocates, accreditation organizations
as well as experts in public health, medical ethics, information systems, and
health policy adopted a set of "best principles" for health care
privacy that are consistent with the standards we lay out here. (See the Health
Privacy Working Group, "Best Principles for Health Privacy" (July,
1999) (Best Principles Study). The Best Principles Study states that - To
protect their privacy and avoid embarrassment, stigma, and discrimination, some
people withhold information from their health care providers, provide inaccurate
information, doctor-hop to avoid a consolidated medical record, pay
out-of-pocket for care that is covered by insurance, and - in some cases - avoid
care altogether. Best
Principles Study, at 9. In their comments on our proposed rule, numerous
organizations representing health plans, health providers, employers, and others
acknowledged the value of a set of national privacy standards to the efficient
operation of their practices and businesses. Breaches of Health Privacy Harm More than
Our Health Status
A
breach of a person's health privacy can have significant implications well
beyond the physical health of that person, including the loss of a job,
alienation of family and friends, the loss of health insurance, and public
humiliation. For example: •
A banker who also sat on a county health board gained access to patients'
records and identified several people with cancer and called in their mortgages.
See the National Law Journal, May 30, 1994. •
A physician was diagnosed with AIDS at the hospital in which he practiced
medicine. His surgical privileges were suspended. See Estate of Behringer v.
Medical Center at Princeton, 249 N.J. Super. 597. •
A candidate for Congress nearly saw her campaign derailed when newspapers
published the fact that she had sought psychiatric treatment after a suicide
attempt. See New York Times, October 10, 1992, Section 1, page 25. •
A 30-year FBI veteran was put on administrative leave when, without his
permission, his pharmacy released information about his treatment for
depression. (Los Angeles Times, September 1, 1998) •
Consumer Reports found that 40 percent of insurers disclose personal health
information to lenders, employers, or marketers without customer permission.
"Who's reading your Medical Records," Consumer Reports, October 1994,
at 628, paraphrasing Sweeny, Latanya, "Weaving Technology and Policy
Together to Maintain Confidentiality," The Journal Of Law Medicine and
Ethics (Summer & Fall 1997) Vol. 25, Numbers 2,3. The
answer to these concerns is not for consumers to withdraw from society and the
health care system, but for society to establish a clear national legal
framework for privacy. By spelling out what is and what is not an allowable use
of a person's identifiable health information, such standards can help to
restore and preserve trust in the health care system and the individuals and
institutions that comprise that system. As medical historian Paul Starr wrote:
"Patients have a strong interest in preserving the privacy of their
personal health information but they also have an interest in medical research
and other efforts by health care organizations to improve the medical care they
receive. As members of the wider community, they have an interest in public
health measures that require the collection of personal data." (P. Starr,
"Health and the Right to Privacy," American Journal of Law &
Medicine, 25, nos. 2&3 (1999) 193-201). The task of society and its
government is to create a balance in which the individual's needs and rights are
balanced against the needs and rights of society as a whole. National
standards for medical privacy must recognize the sometimes competing goals of
improving individual and public health, advancing scientific knowledge,
enforcing the laws of the land, and processing and paying claims for health care
services. This need for balance has been recognized by many of the experts in
this field. Cavoukian and Tapscott described it this way: "An individual's
right to privacy may conflict with the collective rights of the public. . .We do
not suggest that privacy is an absolute right that reigns supreme over all other
rights. It does not. However, the case for privacy will depend on a number of
factors that can influence the balance - the level of harm to the individual
involved versus the needs of the public." The Federal Response
There
have been numerous federal initiatives aimed at protecting the privacy of
especially sensitive personal information over the past several years -- and
several decades. While the rules below are likely the largest single federal
initiative to protect privacy, they are by no means alone in the field. Rather,
the rules arrive in the context of recent legislative activity to grapple with
advances in technology, in addition to an already established body of law
granting federal protections for personal privacy. In
1965, the House of Representatives created a Special Subcommittee on Invasion of
Privacy. In 1973, this Department's predecessor agency, the Department of
Health, Education and Welfare issued The Code of Fair Information Practice
Principles establishing an important baseline for information privacy in
the U.S. These principles formed the basis for the federal Privacy Act of 1974,
which regulates the government's use of personal information by limiting the
disclosure of personally-identifiable information, allows consumers access to
information about them, requires federal agencies to specify the purposes for
collecting personal information, and provides civil and criminal penalties for
misuse of information. In
the last several years, with the rapid expansion in electronic technology -- and
accompanying concerns about individual privacy -- laws, regulations, and
legislative proposals have been developed in areas ranging from financial
privacy to genetic privacy to the safeguarding of children on-line. For example,
the Children's Online Privacy Protection Act was enacted in 1998, providing
protection for children when interacting at web-sites. In February, 2000,
President Clinton signed Executive Order 13145, banning the use of genetic
information in federal hiring and promotion decisions. The landmark financial
modernization bill, signed by the President in November, 1999, likewise
contained financial privacy protections for consumers. There also has been
recent legislative activity on establishing legal safeguards for the privacy of
individuals' Social Security numbers, and calls for regulation of on-line
privacy in general. These
most recent laws, regulations, and legislative proposals come against the
backdrop of decades of privacy-enhancing statutes passed at the federal level to
enact safeguards in fields ranging from government data files to video rental
records. In the 1970s, individual privacy was paramount in the passage of the
Fair Credit Reporting Act (1970), the Privacy Act (1974), the Family Educational
Rights and Privacy Act (1974), and the Right to Financial Privacy Act (1978).
These key laws were followed in the next decade by another series of statutes,
including the Privacy Protection Act (1980), the Electronic Communications
Privacy Act (1986), the Video Privacy Protection Act (1988), and the Employee
Polygraph Protection Act (1988). In the last ten years, Congress and the
President have passed additional legal privacy protection through, among others,
the Telephone Consumer Protection Act (1991), the Driver's Privacy Protection
Act (1994), the Telecommunications Act (1996), the Children's Online Privacy
Protection Act (1998), the Identity Theft and Assumption Deterrence Act (1998),
and Title V of the Gramm-Leach-Bliley Act (1999) governing financial privacy. In
1997, a Presidential advisory commission, the Advisory Commission on Consumer
Protection and Quality in the Health Care Industry, recognized the need for
patient privacy protection in its recommendations for a Consumer Bill of Rights
and Responsibilities (November 1997). In 1997, Congress enacted the Balanced
Budget Act (Public Law 105-34), which added language to the Social Security Act
(18 U.S.C. 1852) to require Medicare+Choice organizations to establish
safeguards for the privacy of individually identifiable patient information.
Similarly, the Veterans Benefits section of the U.S. Code provides for
confidentiality of medical records in cases involving drug abuse, alcoholism or
alcohol abuse, HIV infection, or sickle cell anemia (38 U.S.C. 7332). As
described in more detail in the next section, Congress recognized the importance
of protecting the privacy of health information by enacting the Health Insurance
Portability and Accountability Act of 1996. The Act called on Congress to enact
a medical privacy statute and asked the Secretary of Health and Human Services
to provide Congress with recommendations for protecting the confidentiality of
health care information. The Congress further recognized the importance of such
standards by providing the Secretary with authority to promulgate regulations on
health care privacy in the event that lawmakers were unable to act within the
allotted three years. Finally,
it also is important for the U.S. to join the rest of the developed world in
establishing basic medical privacy protections. In 1995, the European Union (EU)
adopted a Data Privacy Directive requiring its 15 member states to adopt
consistent privacy laws by October 1998. The EU urged all other nations to do
the same or face the potential loss of access to information from EU countries. Statutory Background
History of the Privacy Component of the
Administrative Simplification Provisions
The
Congress addressed the opportunities and challenges presented by the rapid
evolution of health information systems in the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on
August 21, 1996. Sections 261 through 264 of HIPAA are known as the
Administrative Simplification provisions. The major part of these Administrative
Simplification provisions are found at section 262 of HIPAA, which enacted a new
part C of title XI of the Social Security Act (hereinafter we refer to the
Social Security Act as the "Act" and we refer to all other laws cited
in this document by their names). In
section 262, Congress primarily sought to facilitate the efficiencies and cost
savings for the health care industry that the increasing use of electronic
technology affords. Thus, section 262 directs HHS to issue standards to
facilitate the electronic exchange of information with respect to financial and
administrative transactions carried out by health plans, health care
clearinghouses, and health care providers who transmit information
electronically in connection with such transactions. At
the same time, Congress recognized the challenges to the confidentiality of
health information presented by the increasing complexity of the health care
industry, and by advances in health information systems technology and
communications. Section 262 thus also directs HHS to develop standards to
protect the security, including the confidentiality and integrity, of health
information. Congress
has long recognized the need for protection of health information privacy
generally, as well as the privacy implications of electronic data interchange
and the increased ease of transmitting and sharing individually identifiable
health information. Congress has been working on broad health privacy
legislation for many years and, as evidenced by the self-imposed three year
deadline included in the HIPAA, discussed below, believes it can and should
enact such legislation. A significant portion of the first Administrative
Simplification section debated on the floor of the Senate in 1994 (as part of
the Health Security Act) consisted of privacy provisions. In the version of the
HIPAA passed by the House of Representatives in 1996, the requirement for the
issuance of privacy standards was located in the same section of the bill
(section 1173) as the requirements for issuance of the other HIPAA
Administrative Simplification standards. In conference, the requirement for
privacy standards was moved to a separate section in the same part of HIPAA,
section 264, so that Congress could link the Privacy standards to Congressional
action. Section
264(b) requires the Secretary of HHS to develop and submit to the Congress
recommendations for: •
The rights that an individual who is a subject of individually identifiable
health information should have. •
The procedures that should be established for the exercise of such rights. •
The uses and disclosures of such information that should be authorized or
required. The
Secretary's Recommendations were submitted to the Congress on September 11,
1997. Section 264(c)(1) provides that: If
legislation governing standards with respect to the privacy of individually
identifiable health information transmitted in connection with the transactions
described in section 1173(a) of the Social Security Act (as added by section
262) is not enacted by [August 21, 1999], the Secretary of Health and Human
Services shall promulgate final regulations containing such standards not later
than [February 21, 2000]. Such regulations shall address at least the subjects
described in subsection (b). As
the Congress did not enact legislation regarding the privacy of individually
identifiable health information prior to August 21, 1999, HHS published proposed
rules setting forth such standards on November 3, 1999, 64 FR 59918, and is now
publishing the mandated final regulation. These
privacy standards have been, and continue to be, an integral part of the suite
of Administrative Simplification standards intended to simplify and improve the
efficiency of the administration of our health care system. The Administrative Simplification
Provisions, and Regulatory Actions To Date
Part
C of title XI consists of sections 1171 through 1179 of the Act. These sections
define various terms and impose several requirements on HHS, health plans,
health care clearinghouses, and health care providers who conduct the identified
transactions electronically. The
first section, section 1171 of the Act, establishes definitions for purposes of
part C of title XI for the following terms: code set, health care clearinghouse,
health care provider, health information, health plan, individually identifiable
health information, standard, and standard setting organization. Section
1172 of the Act makes the standard adopted under part C applicable to: (1)
health plans, (2) health care clearinghouses, and (3) health care providers who
transmit health information in electronic form in connection with transactions
referred to in section 1173(a)(1) of the Act (hereinafter referred to as the
"covered entities"). Section 1172 also contains procedural
requirements concerning the adoption of standards, including the role of
standard setting organizations and required consultations, summarized in
subsection F and section VI, below. Section
1173 of the Act requires the Secretary to adopt standards for transactions, and
data elements for such transactions, to enable health information to be
exchanged electronically. Section 1173(a)(1) describes the transactions to be
promulgated, which include the nine transactions listed in section 1173(a)(2)
and other transactions determined appropriate by the Secretary. The remainder of
section 1173 sets out requirements for the specific standards the Secretary is
to adopt: unique health identifiers, code sets, security standards, electronic
signatures, and transfer of information among health plans. Of particular
relevance to this proposed rule is section 1173(d), the security standard
provision. The security standard authority applies to both the transmission and
the maintenance of health information, and requires the entities described in
section 1172(a) to maintain reasonable and appropriate safeguards to ensure the
integrity and confidentiality of the information, protect against reasonably
anticipated threats or hazards to the security or integrity of the information
or unauthorized uses or disclosures of the information, and to ensure compliance
with part C by the entity's officers and employees. In
section 1174 of the Act, the Secretary is required to establish standards for
all of the above transactions, except claims attachments, by February 21, 1998.
The statutory deadline for the claims attachment standard is February 21, 1999. As
noted above, a proposed rule for most of the transactions was published on May
7, 1998, and the final Transactions Rule was promulgated on August 17, 2000. The
delay was caused by the deliberate consensus building process, working with
industry, and the large number of comments received (about 17,000). In addition,
in a series of Notices of Proposed Rulemakings, HHS published other proposed
standards, as described above. Each of these steps was taken in concert with the
affected professions and industries, to ensure rapid adoption and compliance. Generally,
after a standard is established, it may not be changed during the first year
after adoption except for changes that are necessary to permit compliance with
the standard. Modifications to any of these standards may be made after the
first year, but not more frequently than once every 12 months. The Secretary
also must ensure that procedures exist for the routine maintenance, testing,
enhancement, and expansion of code sets and that there are crosswalks from prior
versions. Section
1175 of the Act prohibits health plans from refusing to process, or from
delaying processing of, a transaction that is presented in standard format. It
also establishes a timetable for compliance: each person to whom a standard or
implementation specification applies is required to comply with the standard
within 24 months (or 36 months for small health plans) of its adoption. A health
plan or other entity may, of course, comply voluntarily before the effective
date. The section also provides that compliance with modifications to standards
or implementation specifications must be accomplished by a date designated by
the Secretary, which date may not be earlier than 180 days from the notice of
change. Section
1176 of the Act establishes civil monetary penalties for violation of the
provisions in part C of title XI of the Act, subject to several limitations.
Penalties may not be more than $100 per person per violation and not more than
$25,000 per person for violations of a single standard for a calendar year. The
procedural provisions of section 1128A of the Act apply to actions taken to
obtain civil monetary penalties under this section. Section
1177 establishes penalties for any person that knowingly uses a unique health
identifier, or obtains or discloses individually identifiable health information
in violation of the part. The penalties include: (1) a fine of not more than
$50,000 and/or imprisonment of not more than 1 year; (2) if the offense is
"under false pretenses," a fine of not more than $100,000 and/or
imprisonment of not more than 5 years; and (3) if the offense is with intent to
sell, transfer, or use individually identifiable health information for
commercial advantage, personal gain, or malicious harm, a fine of not more than
$250,000 and/or imprisonment of not more than 10 years. Under
section 1178 of the Act, the requirements of part C, as well as any standards or
implementation specifications adopted thereunder, preempt contrary state law.
There are three exceptions to this general rule of preemption: state laws that
the Secretary determines are necessary for certain purposes set forth in the
statute; state laws that the Secretary determines address controlled substances;
and state laws relating to the privacy of individually identifiable health
information that are contrary to and more stringent than the federal
requirements. There also are certain areas of state law (generally relating to
public health and oversight of health plans) that are explicitly carved out of
the general rule of preemption and addressed separately. Section
1179 of the Act makes the above provisions inapplicable to financial
institutions (as defined by section 1101 of the Right to Financial Privacy Act
of 1978) or anyone acting on behalf of a financial institution when
"authorizing, processing, clearing, settling, billing, transferring,
reconciling, or collecting payments for a financial institution." Finally,
as explained above, section 264 requires the Secretary to issue standards with
respect to the privacy of individually identifiable health information. Section
264 also contains a preemption provision that provides that contrary provisions
of state laws that are more stringent than the federal standards, requirements,
or implementation specifications will not be preempted. Our Approach to This Regulation
Balance
A
number of facts informed our approach to this regulation. Determining the best
approach to protecting privacy depends on where we start, both with respect to
existing legal expectations and also with respect to the expectations of
individuals, health care providers, payers and other stakeholders. From the
comments we received on the proposed rule, and from the extensive fact finding
in which we engaged, a confused picture developed. We learned that stakeholders
in the system have very different ideas about the extent and nature of the
privacy protections that exist today, and very different ideas about appropriate
uses of health information. This leads us to seek to balance the views of the
different stakeholders, weighing the varying interests on each particular issue
with a view to creating balance in the regulation as a whole. For
example, we received hundreds of comments explaining the legitimacy of various
uses and disclosure of health information. We agree that many uses and
disclosures of health information are "legitimate," but that is not
the end of the inquiry. Neither privacy, nor the important social goals
described by the commenters, are absolutes. In this regulation, we are asking
health providers and institutions to add privacy into the balance, and we are
asking individuals to add social goals into the balance. The
vast difference among regulated entities also informed our approach in
significant ways. This regulation applies to solo practitioners, and
multi-national health plans. It applies to pharmacies and information
clearinghouses. These entities differ not only in the nature and scope of their
businesses, but also in the degree of sophistication of their information
systems and information needs. We therefore designed the core requirements of
this regulation to be flexible and "scalable." This is reflected
throughout the rule, particularly in the implementation specifications for
making the 'minimum necessary' uses and disclosures, and in the administrative
policies and procedures requirements. We
also are informed by the rapid evolution in industry organization and practice.
Our goal is to enhance privacy protections in ways that do not impede this
evolution. For example, we received many comments asking us to assign a status
under this regulation based on a label or title. For example, many commenters
asked whether "disease management" is a "health care
operation," or whether a "pharmacy benefits manager" is a covered
entity. From the comments and our fact-finding, however, we learned that these
terms do not have consistent meanings today; rather, they encompass diverse
activities and information practices. Further, the statutory definitions of key
terms such as 'health care provider' and 'health care clearinghouse' describe
functions, not specific types of persons or entities. To respect both the
Congressional approach and industry evolution, we design the rule to follow
activities and functions, not titles and labels. Similarly,
many comments asked whether a particular person would be a "business
associate" under the rule, based on the nature of the person's business.
Whether a business associate arrangement must exist under the rule, however,
depends on the relationship between the entities and the services being
performed, not on the type of persons or companies involved. Our
approach is also significantly informed by the limited jurisdiction conferred by
HIPAA. In large part, we have the authority to regulate those who create and
disclose health information, but not many key stakeholders who receive that
health information from a covered entity. Again, this led us to look to the
balance between the burden on covered entities and need to protect privacy in
determining our approach to such disclosures. In some instances, we approach
this dilemma by requiring covered entities to obtain a representation or
documentation of purpose from the person requesting information. While there
would be advantages to legislation regulating such third persons directly, we
cannot justify abandoning any effort to enhance privacy. It
also became clear from the comments and our fact-finding that we have
expectations as a society that conflict with individuals' views about the
privacy of health information. We expect the health care industry to develop
treatment protocols for the delivery of high quality health care. We expect
insurers and the government to reduce fraud in the health care system. We expect
to be protected from epidemics, and we expect medical research to produce
miracles. We expect the police to apprehend suspects, and we expect to pay for
our care by credit card. All of these activities involve disclosure of health
information to someone other than our physician. While
most commenters support the concept of health privacy in general, many go on to
describe activities that depend on the disclosure of health information and urge
us to protect those information flows. Section III, in which we respond to the
comments, describes our approach to balancing these conflicting expectations. Finally,
we note that many commenters were concerned that this regulation would lessen
current privacy protections. It is important to understand this regulation as a
new federal floor of privacy protections that does not disturb more protective
rules or practices. Nor do we intend this regulation to describe a set of a
"best practices." Rather, this regulation describes a set of basic
consumer protections and a series of regulatory permissions for use and
disclosure of health information. The protections are a mandatory floor, which
other governments and any covered entity may exceed. The permissions are just
that, permissive -- the only disclosures of health information required under
this rule are to the individual who is the subject of the information or to the
Secretary for enforcement of this rule. We expect covered entities to rely on
their professional ethics and use their own best judgements in deciding which of
these permissions they will use. Combining Workability with New
Protections
This
rule establishes national minimum standards to protect the privacy of
individually identifiable health information in prescribed settings. The
standards address the many varied uses and disclosures of individually
identifiable health information by health plans, certain health care providers
and health care clearinghouses. The complexity of the standards reflects the
complexity of the health care marketplace to which they apply and the variety of
subjects that must be addressed. The rule applies not only to the core health
care functions relating to treating patients and reimbursing health care
providers, but also to activities that range from when individually identifiable
health information should be available for research without authorization to
whether a health care provider may release protected health information about a
patient for law enforcement purposes. The number of discrete provisions, and the
number of commenters requesting that the rule recognize particular activities,
is evidence of the significant role that individually identifiable health
information plays in many vital public and private concerns. At
the same time, the large number of comments from individuals and groups
representing individuals demonstrate the deep public concern about the need to
protect the privacy of individually identifiable health information. The
discussion above is rich with evidence about the importance of protecting
privacy and the potential adverse consequences to individuals and their health
if such protections are not extended. The
need to balance these competing interests - the necessity of protecting privacy
and the public interest in using identifiable health information for vital
public and private purposes - in a way that is also workable for the varied
stakeholders causes much of the complexity in the rule. Achieving workability
without sacrificing protection means some level of complexity, because the rule
must track current practices and current practices are complex. We believe that
the complexity entailed in reflecting those practices is better public policy
than a perhaps simpler rule that disturbed important information flows. Although
the rule taken as a whole is complicated, we believe that the standards are much
less complex as they apply to particular actors. What a health plan or covered
health care provider must do to comply with the rule is clear, and the two-year
delayed implementation provides a substantial period for trade and professional
associations, working with their members, to assess the effects of the standards
and develop policies and procedures to come into compliance with them. For
individuals, the system may look substantially more complicated because, for the
first time, we are ensuring that individuals will receive detailed information
about how their individually identifiable health information may be used and
disclosed. We also provide individuals with additional tools to exercise some
control over those uses and disclosures. The additional complexity for
individuals is the price of expanding their understanding and their rights. The
Department will work actively with members of the health care industry,
representatives of individuals and others during the implementation of this
rule. As stated elsewhere, our focus is to develop broader understanding of how
the standards work and to facilitate compliance. We intend to provide guidance
and check lists as appropriate, particularly to small businesses affected by the
rule. We also will work with trade and professional associations to develop
guidance and provide technical assistance so that they can help their members
understand and comply with these new standards. If this effort is to succeed,
the various public and private participants inside and outside of the health
care system will need to work together to assure that the competing interests
described above remain in balance and that an ethic that recognizes their
importance is established. Enforcement
The
Secretary has decided to delegate her responsibility under this regulation to
the Department's Office for Civil Rights (OCR). OCR will be responsible for
enforcement of this regulation. Enforcement activities will include working with
covered entities to secure voluntary compliance through the provision of
technical assistance and other means; responding to questions regarding the
regulation and providing interpretations and guidance; responding to state
requests for exception determinations; investigating complaints and conducting
compliance reviews; and, where voluntary compliance cannot be achieved, seeking
civil monetary penalties and making referrals for criminal prosecution. Consent
Current
law and practice The
issue that drew the most comments overall is the question of when individuals'
permission should be obtained prior to use or disclosure of their health
information. We learned that individuals' views and the legal view of 'consent'
for use and disclosure of health information are different and in many ways
incompatible. Comments from individuals revealed a common belief that, today,
people must be asked permission for each and every release of their health
information. Many believe that they "own" the health records about
them. However, current law and practice do not support this view. Current
privacy protection practices are determined in part by the standards and
practices that the professional associations have adopted for their members.
Professional codes of conduct for ethical behavior generally can be found as
opinions and guidelines developed by organizations such as the American Medical
Association, American Nurses' Association, the American Hospital Association,
the American Psychiatric Association, and the American Dental Association. These
are generally issued though an organization's governing body. The codes do not
have the force of law, but providers often recognize them as binding rules. Our
review of professional codes of ethics revealed partial, but loose, support for
individuals' expectations of privacy. For example, the American Medical
Association's Code of Ethics recognizes both the right to privacy and the need
to balance it against societal needs. It reads in part: "conflicts between
a patient's right to privacy and a third party's need to know should be resolved
in favor of the patient, except where that would result in serious health hazard
or harm to the patient or others." AMA Policy No 140.989. See also, Mass.
Med. Society, Patient Privacy and Confidentiality (1996), at 14: Patients
enter treatment with the expectation that the information they share will be
used exclusively for their clinical care. Protection of our patients'
confidences is an integral part of our ethical training. These
codes, however, do not apply to many who obtain information from providers. For
example, the National Association of Insurance Commissioners model code,
"Health Information Privacy Model Act"(1998), applies to insurers but
has not been widely adopted. Codes of ethics are also often written in general
terms that do not provide guidance to providers and plans confronted with
specific questions about protecting health information. State laws are a crucial means of protecting health information, and today state laws vary dramatically. Some states defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. Cf., D.C. Code Ann. 2-3305.14(16) and Haw. Rev. Stat. 323C, et seq. In general, state statutes and case law addressing consent to use of health information do not support the public's strong expectations regarding consent for use and disclosure of health information. Only about half of th |
