HIPAA Guidance 12-4-02

HHS Guidance December 2002

STANDARDS FOR PRIVACY OF

INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

[45 CFR Parts 160 and 164]

Introduction

This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.

The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) provides the first comprehensive Federal protection for the privacy of health information. All segments of the health care industry have expressed support for the objective of enhanced patient privacy in the health care system. The Privacy Rule, as modified, is carefully balanced to provide strong privacy protections that do not interfere with patient access to, or the quality of, health care delivery.

The guidance that follows is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule. For a particular segment in the Privacy Rule, the guidance will provide a brief explanation of the segment and how the Rule works, followed by “Frequently Asked Questions” about that provision. The guidance does not address all of the relevant provisions in the Rule, although we anticipate adding segments in the future as we develop guidance on more Privacy Rule standards. We will also be adding to the “Frequently Asked Questions” on an ongoing basis as new questions arise. HHS plans to work expeditiously to address these additional questions to facilitate understanding of the Rule and to encourage voluntary compliance with its requirements. However, for a full understanding of one’s rights and responsibilities under the Rule, it is important to consult the Rule itself.

The Privacy Rule Standards Addressed

General Overview

Incidental Uses and Disclosures (45 CFR 164.502(a))

Minimum Necessary (45 CFR 164.502(b), 164.514(d))

Personal Representatives (45 CFR 164.502(g))

Business Associates (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e))

Uses and Disclosures for Treatment, Payment, and Health Care Operations (45 CFR 164.506)

Marketing (45 CFR 164.501, 164.508(a))

Public Health (45 CFR 164.512(b))

Research (45 CFR 164.501, 164.508, 164.512(i), 164.514(e), 164.528, 164.532)

Workers’ Compensation Laws (45 CFR 164.512(l))

Notice (45 CFR 164.520)

Government Access (45 CFR Part 160, Subpart C, 164.512(f))

Miscellaneous FAQs

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY

OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

[45 CFR Part 160 and Subparts A and E of Part 164]

The following overview provides answers to general questions regarding the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS).

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included “Administrative Simplification” provisions that required HHS to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

In response to the HIPAA mandate, HHS published a final regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. This Rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. By the compliance date of April 14, 2003 (April 14, 2004, for small health plans), covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

Secretary Tommy Thompson called for an additional opportunity for public comment on the Privacy Rule to ensure that the Privacy Rule achieves its intended purpose without adversely affecting the quality of, or creating new barriers to, patient care. After careful consideration of these comments, in March 2002 HHS published proposed modifications to the Rule, to improve workability and avoid unintended consequences that could have impeded patient access to delivery of quality health care. Following another round of public comment, in August 2002, the Department adopted as a final Rule the modifications necessary to ensure that the Privacy Rule worked as intended.

The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.

General Overview

Frequently Asked Questions

• It gives patients more control over their health information.

• It sets boundaries on the use and release of health records.

• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.

• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights

• And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

 It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.

 It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.

 It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.

 It empowers individuals to control certain uses and disclosures of their health information.

A: In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. When it comes to personal information that moves across hospitals, doctors’ offices, insurers or third party payers, and State lines, our country has relied on a patchwork of Federal and State laws. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will continue to apply over and above the new Federal privacy standards.

Health care providers have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the Rule provides clear standards for the protection of personal health information.

• Notifying patients about their privacy rights and how their information can be used.

• Adopting and implementing privacy procedures for its practice, hospital, or plan.

• Training employees so that they understand the privacy procedures.

• Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.

• Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients’ privacy. Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,

• The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.

• The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.

• The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.