Skip to main content
Find a Lawyer

Office of the Assistant Secretary for Planning and Evaluation Department of Health and Human Services Proposes Standards for Privacy of Individually Identifiable Health Information

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

Update: On January 5, 2000, the Health Care Financing Administration (HCFA) Published Corrections to the HHS Proposed Privacy Rule. Details can be found

I. Introduction

On November 3, 1999, the Office of the Assistant Secretary for Planning and Evaluation, Department of Health and Human Services ("ASPE") published in the Federal Register a proposed rule setting forth Standards for Privacy of Individually Identifiable Health Information ("the proposed rule"). Entities, other than small health plans, that are covered by the proposed rule must be in compliance not later than twenty-four months after the rule becomes final. ASPE will accept comments until January 3, 2000.

As a service to our clients and others, we are distributing this Alert which summarizes some of the key terms and provisions of the proposed rule. We believe that the proposed rule has potentially huge ramifications for all health care treatment institutions, health care providers, and their business partners. We recommend that these entities pay close attention to this regulation and the other HIPAA regulations that were previously promulgated.

II. Purpose of Proposed Rule

Under the Health Insurance Portability and Accountability Act ("HIPAA") of 1996, if Congress failed to pass standards for the privacy of individually identifiable health information by August 21, 1999, the Secretary of Health and Human Services ("the Secretary") was directed to promulgate final regulations containing such standards by February 2, 2000. Congress failed to meet its deadline and as such the Secretary has promulgated the proposed rule. The proposed rule creates limitations to the disclosure and use of protected health information and creates rights for the subjects of that information.

III. Key Definitions

The definitions contained in the proposed rule identify the entities and information to which the proposed rule applies. Of particular significance are the following definitions.

A. Covered Entities

The standards in the proposed rule apply to all health plans, all health care clearinghouses, and all health care providers that transmit health information in an electronic form in connection with a standard transaction.

B. Health plan

The proposed rule defines "health plan" by the definition contained in section 1177 of the Social Security Act ("the Act"). Under that section, a health plan is an individual or group plan that provides for, or pays the cost of, medical care and includes certain employee welfare benefit plans, state-regulated insurance plans, managed care plans, and essentially all government health plans, including Medicare, Medicaid, the Veterans Health Care Program, and plans participating in the Federal Employees Health Benefits Program.

C. Health Care Provider

Under the proposed rule, a "health care provider" is a provider of services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes, bills or is paid for health care services or supplies in the normal course of business. The definition includes: a researcher who provides health care to the subjects of research; free clinics; a health clinic or licensed health care professional located at a school or business; institutional providers, such as hospitals, skilled nursing facilities, home health agencies, and comprehensive outpatient rehabilitation facilities; physicians; clinical laboratories; various licensed/certified health care practitioners; suppliers of durable medical equipment; pharmacies; nursing homes; therapists, technicians, and aides; group practices; and "on-line" pharmacies accessible on the Internet.

D. Health Care Clearinghouse

The proposed rule defines a "health care clearinghouse" as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. The following entities are included in this definition to the extent they perform clearinghouse functions: billing services, repricing companies, community health management information systems or community health information systems, and "value-added" networks.

E. Covered Information/Protected Health Information

Protected health information is individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity. The key factor in determining whether a transmission meets this definition is whether the source or the target of the transmission is a computer. Under the proposed rule, protected health information remains protected after it is read from a computer screen and discussed orally, printed onto paper or other media, photographed, or otherwise duplicated.

F. Health Care

The proposed rule defines "health care" as the provision of care, services, or supplies to a patient that includes any: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body; (2) sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; or (3) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.

G. Business Partner

The proposed rule defines "business partner" to mean a person to whom a covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. Such term includes any agent, contractor or other person who receives protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence. Specifically included in the definition are: lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities.

H. Individually Identifiable Health Information

The proposed rule defines "individually identifiable health information" as health information created or received by a health care provider, health plan, employer or health care clearinghouse, that could be used directly or indirectly to identify the individual who is the subject of the information.

IV. Disclosure Of Protected Information

Under the proposed rule, covered entities can use or disclose an individual's protected health information only for purposes of treatment, payment, health care operations, and specified public policy-related purposes.1 Examples of specified public policy-related purposes include: 1) health oversight activities, 2) judicial and administrative proceedings, and 3) law enforcement.

In all other circumstances, a covered entity may disclose protected information only if authorization is obtained from the individual to whom the information relates. For instance, authorization is required to disclose protected health information that is related to the following activities which the proposed rule describes as activities which are not necessary for the key functions of treatment and payment:

• marketing of health and non-health items and services;

• sale, rent or barter of protected health information;

• use of protected health information by non-health related divisions of the same corporation, e.g., for use in marketing or underwriting life or casualty insurance, or in banking services;

• by sale or otherwise of protected health information to a plan or provider for making eligibility or enrollment determinations, or for underwriting or risk rating determinations, prior to the individual's enrollment in the plan;

• employer's use in employment determinations; and

• fund raising.

Covered entities can only be mandated to disclose protected information to permit individuals to inspect and copy protected health information about them or for enforcement of the proposed rule.

V. Authorization

Under the proposed rule, authorization is required both when the individual about whom the protected information initiates disclosure as well as when a covered entity seeks disclosure.

A. Authorization For Disclosure Initiated By Individual

When an individual initiates disclosure of his or her protected information, a covered entity must obtain authorization from that individual and the authorization must include several requirements. For instance, prior to disclosing information, a covered entity must receive an authorization that:

• describes the information to be used or disclosed with sufficient specificity to allow the covered entity to ascertain what information the authorization references;

• identifies sufficiently the covered entity or covered entities that would be authorized to use or disclose the protected health information;

• identifies the person or persons that would be authorized to use or receive the protected health information with sufficient specificity to reasonably permit identification of the authorized user or recipient;

• state a specific expiration date;

• include a signature or other authentication (e.g., electronic signature) and the date of the signature;

• include a statement that the individual understands that he or she may revoke an authorization except to the extent that action has been taken in reliance on the authorization; and

• state that the individual understands that when the information is disclosed to anyone except a covered entity, it would no longer be protected.

Interestingly, under the proposed rule a covered entity is not required to disclose information pursuant to an individual's authorization unless it is to the individual pursuant to his or her right to access protected health care information.

B. Authorization For Disclosure Initiated By Covered Entities

As mentioned above, a covered entity may not disclose protected information without an authorization from the individual unless the information is to be used for health care treatment, payment, operations, or for designated public policy concerns. When a covered entity requests individuals to authorize disclosure, it must ensure that the authorization includes all of the items required when the individual initiates authorization and additionally must ensure that the authorization:

• contains a statement that identifies the purposes for which the information is sought as well as the proposed uses and disclosures of the information;

• be narrowly tailored to authorize use or disclosure of only the protected health information necessary to accomplish the purpose specified in the authorization;

• advise the individual that he or she may inspect or copy the information to be used or disclosed as provided in the proposed rule, that they may refuse to sign the authorization, and that treatment and payment can not be conditioned on the patient's authorization; and

• must include a statement that the disclosure would result in commercial gain to the covered entity in situations where the covered entity would receive financial or in-kind compensation in exchange for using or disclosing the health information.

Covered entities must provide the individual with a copy of the signed authorization form, and the individual can revoke an authorization at any time except to the extent that action has been taken in reliance on the authorization.

VI. Minimal Necessity

The proposed rule requires that disclosure of protected information be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed, taking into consideration practical and technological limitations (including the size and nature of the covered entity's business) and costs.

To comply with this requirement, the proposed rule requires covered entities to establish policies and procedures to limit the amount of protected health information used or disclosed to the minimum amount necessary to meet the purpose of the use or disclosure, and to limit access to protected health information only to those people who need access to the information to accomplish the use or disclosure. With respect to use, if an entity consists of several different components, the entity is required to create barriers between components so that information is not used inappropriately.

The proposed minimum necessary requirement is based on a reasonableness standard: covered entities are required to make reasonable efforts and to incur reasonable expense to limit the use and disclosure of protected health information as provided in this section. The proposed rule articulates factors to determine reasonable efforts as well to determine what would be the minimum necessary information to accomplish an allowable purpose.

VII. Business Partners Of Covered Entities

The proposed rule prohibits covered entities from disclosing protected health information to its business partners without adequate assurance from the business partner that it will appropriately safeguard the information. Adequate assurance is a contract between the covered entity and the business partner that meets certain criteria set out in the proposed rule. Under the proposed rule, a covered entity's contract with its business partner(s) must:

• be in writing;

• prohibit the business partner from further using or disclosing the protected health information for any purpose other than the purpose stated in the contract;

• prohibit the business partner from further using or disclosing the protected health information in a manner that would violate the requirements of this proposed rule if it were done by the covered entity;

• require the business partner to maintain safeguards as necessary to ensure that the protected health information is not used or disclosed except as provided by the contract;

• require the business partner to report to the covered entity any use or disclosure of the protected health information of which the business partner becomes aware that is not provided for in the contract;

• require the business partner to ensure that any subcontractors or agents to whom it provides protected health information received from the covered entity will agree to the same restrictions and conditions that apply to the business partner with respect to such information;

• establish how the covered entity would provide access to protected health information to the subject of that information, when the business partner has made any material alteration in the information;

• require the business partner to make available its internal practices, books and records relating to the use and disclosure of protected health information received from the covered entity to HHS or its agents for the purposes of enforcing the provisions of this rule;

• require the business partner to incorporate any amendments or corrections to protected health information when notified by the covered entity that the information is inaccurate or incomplete;

• at termination of the contract, require the business partner to return or destroy all protected health information received from the covered entity that the business partner still maintains in any form to the covered entity and prohibit the business partner from retaining such protected health information in any form;

• state that individuals who are the subject of the protected health information disclosed are intended to be third party beneficiaries of the contract; and

• authorize the covered entity to terminate the contract, if the covered entity determines that the business partner has repeatedly violated a term of the contract required by this paragraph.

The proposed rule holds the covered entity responsible for the violations of their business partners, and requires assignment of responsibilities when a covered entity acts as a business partner of another covered entity. The business partner must also be contractually bound to apply the same limitations to its subcontractors (or persons with similar arrangements) who assist with or carry out the business partner's activities.

Given that auditors, consultants, and billing firms are specifically included in the definition of business partner, this provision would require that each of these entities have a contract with a covered entity that meets the aforementioned criteria.

VIII. Rights Of Individuals

Not only does the proposed rule limit disclosure of protected health information, it also conveys rights to the subjects of that information. The proposed rule creates four basic rights for individuals to control their protected health care information. These rights include: 1) the right to a notice of information practices; 2) the right to obtain access to protected health information; 3) the right to obtain an accounting of disclosures; and 4) the right to request amendment and correction of protected health information.

A. Notice Of Information Procedures

Under the proposed rule health plans and health care providers must provide notice of their information practices concerning protected health information. The notice must include several basic statements to inform the individual of their rights and interests with respect to protected health information. For instance, the notice must:

• inform individuals that the covered plan or provider will not use or disclose their protected health information for purposes not listed in the notice without the individual's authorization.

• should inform individuals that such authorizations can be revoked;

• inform individuals that they have the right to request that the covered plan or provider restrict certain uses and disclosures of protected health information about them, although the covered plan or provider is not required to agree to such a request;

• inform individuals about their right of access to protected health information for inspection and copying and to an accounting of disclosures;

• inform individuals about their right to request an amendment or correction of protected health information;

• include brief descriptions of the procedures for submitting requests to the covered plan or provider;

• include a statement that there are legal requirements that require the covered plan or provider to protect the privacy of its information, provide a notice of information practices, and abide by the terms of that notice;

• include a statement that the entity may revise its policies and procedures with respect to uses or disclosures of protected health information at any time and that such a revision could result in additional uses or disclosures without the individual's authorization;

• inform individuals that they have the right to complain to the covered entity and to the Secretary if they believe that their privacy rights have been violated;

• identify a contact person or office within the covered plan or provider to receive complaints, and to help the individual obtain further information on any of the issues identified in the notice; and

• be written in plain language.

B. Access For Inspection And Copying

The proposed rule provides, with very limited exceptions, that individuals have a right to inspect and copy their protected health information that is maintained in a designated record set by covered plans and providers and, in limited circumstances, by their business partners. The term designated record set is based upon and similar to the concept of a "system of records" under the Privacy Act. Under the proposed rule, a "designated record set" is "a group of any records under the control of any covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."

C. Accounting

Under the proposed rule, individuals have a right to receive an accounting of all instances where protected health information about them is disclosed by a covered entity for purposes other than treatment, payment, and health care operations, subject to certain time-limited exceptions for disclosures to law enforcement and oversight agencies. The purpose of the accounting is to provide a means for individuals to know how the covered entity is disclosing protected health information about them.

D. Amendment And Correction

The proposed rule provides individuals with the right to request a covered plan or provider to amend or correct protected health information relating to the individual. A covered plan or provider would be required to accommodate requests with respect to any information that the covered plan or provider determines to be erroneous or incomplete, that was created by the plan or provider, and that would be available for inspection and copying under the proposed rule.

IX. Administrative Requirements

The proposed rule requires covered entities to develop and implement administrative procedures to protect protected health information and the rights of the individual with respect to that information. The proposed rule requires covered entities to:

• designate a privacy official;

• develop a privacy training program for employees;

• implement safeguards to protect health information from intentional or accidental misuse;

• provide some means for individuals to lodge complaints about the covered entity's information practices;

• develop a system of sanctions for employees and business partners who violate the entity's policies or procedures; and

• maintain documentation of their policies and procedures for complying with the requirements of this proposed rule.

The scale of the policies developed should be consistent with the size of the covered entity.

X. Relationship To State Laws

The proposed rule creates a federal floor of privacy protection. It does not supercede other applicable law that provides greater protection to the confidentiality of health information. Additionally, neither HIPAA nor the proposed rule preempt state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate state regulation of insurance and health plans, address state reporting on health care delivery, or state laws addressing controlled substances.

XI. Damages

Under HIPAA, failure to comply with the proposed rule could result in the imposition of civil monetary penalties against covered entities as well as criminal penalties for certain wrongful disclosures. Individuals have no cause of action under HIPAA.

XII. Further Protections Sought

While the proposed rule contains significant requirements for the protection of individually identifiable health information, ASPE believes that the proposed rule does not adequately protect privacy interests due to HIPAA's constraints. ASPE believes that federal privacy legislation is required. Specifically, because of HIPAA's definition of covered entities, ASPE believes that the proposed rule does not directly cover many of the entities to whom identifiable health information is provided, and thus the proposed rule does not directly restrict the use and re-disclosure of such information by all likely recipients of such information. ASPE sees this omission as a significant hole in the proposed rule.

XIII. Conclusion

The proposed rule sets forth substantial requirements for the way covered entities and their business partners handle individually identifiable health information. If passed in its current form, the proposed rule would most likely require covered entities and their business partners to significantly alter their current operations in order to comply with its terms. The ramifications and costs of compliance have not yet been determined although a study conducted for Blue Cross has estimated that compliance with HIPAA will cost approximately $40 billion. Others have stated that compliance with HIPAA will cost more than expenditures for Y2K compliance.

The Office of the Assistant Secretary for Planning and Evaluation, Department of Health and Human Services is accepting comments on the proposed rule until January 3, 2000.

Was this helpful?

Copied to clipboard