Privacy Standard/Rule (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) regulations are divided into four Standards or Rules: (1) Privacy (discussed here), (2) Security, (3) Identifiers, and (4) Transactions and Code Sets.

The Privacy Rule is the most complex of the four, setting standards for how protected health information (PHI) "in any form or medium" should be controlled. (HIPAA's other rules cover only electronic information.) This Rule took effect in April 2003 for large entities, and a year later for small ones. (For details, see the HIPAA compliance calendar.)

Privacy Rule protections extend to every patient whose information is collected, used or disclosed by covered entities. It imposes responsibilities on the entire workforce of a covered entity -- including all employees and volunteers -- in order to secure those rights. It also requires contractual assurances for any business associates of health care institutions that handle health care information on a covered entity's behalf.

States have many laws and regulations that address health information. HIPAA adds its protections to those the states provide. In most cases, where state requirements are stricter they remain in force; HIPAA does not preempt them. Put differently, the Privacy Rule establishes a federal floor for health privacy, but not a ceiling.

In its most visible change, the Privacy Rule requires covered entities to provide patients with a Notice of Privacy Practices. The Notice must describe, in general terms, how organizations will protect health information, and specify the patient's right to:

• gain access to and, if desired, obtain a copy of his/her own health records;

• request corrections of errors that the patient finds (or include the patient's statement of disagreement if the institution believes the information is correct);

• receive an accounting of how their information has been used (including a list of the persons and institutions to whom/which it has been disclosed);

• request limits on access to, and additional protections for, particularly sensitive information;

• request confidential communications (by alternative means or at alternative locations) of particularly sensitive information;

• complain to the facility's privacy officer if there are problems; and

• pursue the complaint with the US Department of Health and Human Services' Office of Civil Rights if the problems are not satisfactorily resolved.

A copy of the Privacy Notice must be provided the first time a patient sees a direct treatment provider, and any time thereafter when requested. On that first visit, treatment providers must also make a good faith effort to obtain a written acknowledgement, confirming that a copy of the Notice was obtained. Health plans and insurers must also provide periodic Notices to their customers, but do not need to secure any acknowledgement.

HIPAA requires no other documentation from the patient to use or disclose information for basic functions, like treatment and payment, or for a broad range of other core health care operations. State laws may nonetheless require some kind of consent/authorization form from the patient for these purposes. (It is common for institutions to claim, incorrectly, that HIPAA does.)

By contrast, the Privacy Rule does require that patients sign a supplemental authorization before information can be used for certain "extra" purposes like research, or certain kinds of marketing and fundraising. Health care institutions cannot condition treatment or payment for health care services on receiving a patient's authorization for such supplemental uses.

The general approach of the Rule beyond that is: If a person has a right to make a health care decision, then he/she has the right to control information associated with that decision. Children and those who are incompetent may have decisions about both health care and health information made by a personal representative. (Typically, the personal representative is the parent in the case of a child.)

HIPAA extends extra protections for especially sensitive information -- notably psychotherapy notes, which require a supplemental authorization for release. Genetic information issues are not yet addressed by HIPAA, nor does HIPAA extend any special protections to HIV, substance abuse or other information categories that often receive special treatment in state law.

Although the Privacy Rule is complicated (to put it mildly) it does have an overall scheme for its protections:

• Uses for treatment, payment and a long list of other routine health care operations are covered by the "Notice" that patients acknowledge receiving;

• A few particular kinds of uses -- notably for research, marketing or fundraising -- require a specific, separate written "authorization";

• A few others require only an opportunity to agree or object orally, but no consent or authorization -- notably, this includes listing of patients in facility directories, and disclosures to those involved in a patient's care, such as family members. (It is common to get written authorization for this too, though it is not required.)

Beyond treatment, payment and health care operations, there is another broad category of uses and disclosures that are permitted without patients' permission. This includes PHI uses and disclosures:

• for public health activities;

• about victims of abuse, neglect or domestic violence;

• for health oversight activities;

• for judicial or administrative proceedings;

• for law enforcement;

• about deceased persons (including organ and tissue donations);

• for research, without any authorization, where permitted by an IRB or Privacy Board waiver;

• to avert a serious, imminent threat to public safety;

• certain specialized government functions (e.g., national security, military, corrections); or

• anything else required by law.

Individuals would be entitled to an accounting of (some of) these disclosures, though that accounting might be temporarily suspended in certain circumstances.

Over and above all the categories, HIPAA imposes a very general rule on anyone who deals with protected health information: collection, use and disclosure should be no greater than necessary to complete a work-related task. For obvious reasons, this is called the minimum necessary standard.

The minimum necessary standard is partially waived for health practitioners engaged in treatment -- it still applies to treatment uses, but not to disclosures between/among practitioners. The regulations relax the requirement in part to avoid any possible interference in the daily practice of delivering health care.

Health care facilities are under an obligation to integrate a minimum necessary standard into their policies and procedures. That includes administrative rules as well as, where available, computer-enforced access controls.

Every covered entity must put in place general privacy policies that reflect HIPAA's requirements, and, if they are stricter, the requirements of state law. Those policies must include sanctions for employees that violate them, including termination for serious or repeated violations.

Institutions must designate a privacy officer, who will have the responsibility for enforcing the regulations, as well as supervising (or handling directly) the procedures to handle requests for information access, corrections to records, accountings of disclosures, processing complaints and so forth.

Institutions must also, as noted, include privacy requirements in their contracts with business associates. All employees (and volunteers) must be educated about privacy practices in a manner "appropriate" to their job responsibilities.

HIPAA includes substantial civil and criminal penalties for violations of its provisions, ranging from $100 per violation up to $250,000 and 10 years in prison. The harshest penalties attend deliberate misuse, particularly for sale or use of information for personal gain, commercial advantage or malicious harm.

See also:

• Final Privacy Rule regulations (PDF, 55 pages)

  Last modified: 12-May-2005 [RC]