Overview of Proposed Privacy Standards for Electronic Health Information

The Department of Health and Human Services ("HHS") issued a proposed rule on November 3, 1999, regarding the privacy of individually identifiable health information (the "Rule").¹ Under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),² HHS is required to promulgate a final rule by February, 2000, if Congress failed to enact privacy legislation by August, 1999. In the absence of such legislation, HHS issued the Rule and is requesting final comments by February 17, 2000.

The Rule seeks to protect the unauthorized use and disclosure of certain electronic health information kept by particular entities. Specifically, the Rule applies to identifiable health information (i.e., information that could be used to identify a patient) that becomes electronic, either by sending the information electronically or maintaining the information in a computer system. Electronic health information does not loose its protection under the Rule when the information is printed off the computer. The Rule applies only to (i) health care providers, (iii) health plans, and (iii) health care clearinghouses ("Covered Entities"). Under the Rule, the term "health care provider" is defined as "a provider of medical services as defined in section 1861(u) of the [Social Security Act (the "Act")], a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies."³ The term "health plan" is defined under the Rule as "an individual plan or group plan that provides, or pays the cost of, medical care."⁴ And the term "health care clearinghouse" is defined "as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard elements."⁵

The general goal of the Rule is to ensure that protected health information is easily accessible for health care purposes, but protected from the unauthorized use and disclosure for non-health care related purposes. In addition, HHS intends for the Rule to establish a system whereby patients will be: (i) informed of how their protected health information is being used and disclosed; (ii) able to obtain their protected health information; and (iii) assured that such information is protected by Covered Entities through administrative, technical and physical safeguards.

Pursuant to the Rule, Covered Entities are prohibited from using or disclosing health information except when authorized by the patient or under the Rule. If a Covered Entity obtains a patient’s authorization, protected health information may be used for almost any lawful purpose. The Rule prohibits Covered Entities from requiring patients to agree to such authorization as a condition for treatment or payment. Furthermore, the authorization must specify what information will be disclosed, to whom the information will be disclosed, when the authorization terminates, and, if applicable, that the information will be sold. The Rule also authorizes Covered Entities to use or disclose protected health information without a patient’s prior authorization for the purpose of treatment, payment or operations. Such purposes include, utilization review, quality assurance, credentialing and assuring appropriate treatment and payment. In addition, Covered Entities may use and disclose protected health information without a patient’s authorization for specific national policy purposes, including public health, research, law enforcement, judicial and administrative proceedings, and identification of deceased persons.

Covered Entities are permitted under the Rule to disclose protected health information to contractors hired by the Covered Entity to perform functions on its behalf, including attorneys, auditors, and billing firms ("Business Partners"), without a patient’s authorization. However, if the Business Partner is not performing a treatment function on behalf of the Covered Entity, the Rule requires the Covered Entity to enter into an agreement with the Business Partner whereby the Business Partner agrees to keep identifiable health information confidential pursuant to the requirements under the Rule.

When Covered Entities are authorized to use or disclose protected health information, either by a patient or as specified under the Rule, such use or disclosure must be limited to the "minimum amount necessary to accomplish the intended purpose of the use or disclosure."⁶ Pursuant to the rule, Covered Entities are not required to assess the minimum amount of health information to be disclosed if such information is requested by the patient who is the subject of the information or if the information is mandated by law. Covered Entities are also permitted to use or disclose unidentifiable or de-identified information for any purpose, provided that the Covered Entity does not reveal the mechanism used to de-identify the protected health information. Essentially, a Covered Entity’s mechanism for de-identifying protected health information is subject to the same limitations as identifiable health information is under the Rule.

In addition to setting forth privacy standards for Covered Entities, the Rule also provides patients with individual rights regarding their health information. Included among those rights are: (i) the right to obtain access to one’s protected health information; (ii) the right to request that amendments and corrections be made to incorrect health information; and (iii) the right to receive accounting of the instances where a Covered Entity discloses protected health information for purposes other than treatment, payment or operations.

The Rule does not mandate how Covered Entities should comply with the requirements under the Rule. Rather, Covered Entities are allowed to establish systems that are appropriate for the nature and scope of their business. However, pursuant to the Rule, Covered Entities must have written policies that identify procedures regarding (i) who would have access to protected health information, (ii) how the information would be used within the entity, and (iii) when that information would or would not be disclosed to other entities.⁷ In addition, the Rule requires Covered Entities to:

Essentially, the Rule provides privacy standards that Covered Entities must comply with but allows each Covered Entity to determine the specific details of the administrative, technical, and physical safeguards to ensure the privacy of protected health information.

Violators of the Rule face both civil and criminal penalties. Civil monetary penalties are limited to $25,000 per year per standard violated. Criminal penalties may be imposed for certain willful disclosures in violation of the statute. If the violator wrongfully discloses under false pretense or with the intent to sell the information, more severe criminal penalties may be imposed. The Rule does not provide individuals with a private right of action.

Pursuant to HIPAA, the Rule preempts any state law that conflicts with the Rule. State laws that provide more stringent privacy standards are not preempted. Unlike some state laws, the Rule provides the same level of protection to all individual identifiable health information and does not afford more protection to different categories of information that may be more sensitive (e.g., mental health, HIV infection, etc.). However, state laws that are more stringent would continue to apply.

Under HIPAA, HHS does not have the authority to regulate entities other than Covered Entities. Therefore, although the Rule, if finalized, will provide patients with the first federal protection against the unauthorized use or disclosure of their health information, the protection does not extend to recipients of such health information who are not Covered Entities. Recognizing that the Rule does not extend as far as necessary to fully protect patients’ health information, HHS continues to urge Congress to enact privacy legislation that would provide even greater protection to patients. ⁹