Statutory & Regulatory Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information.

What Information is Protected

The Privacy Rule protects individually identifiable health information in any form or media, whether electronic, paper, or oral, or "protected health information" (PHI). There are no restrictions on the use or disclosure of de-identified health information.

Who is Covered by the Privacy Rule

The provisions apply to health plans, healthcare clearinghouses, and healthcare providers (the "covered entities" or "CE").

Business Associates

A business associate ("BA") is a person or organization that performs certain functions, or provides certain services for a CE that involve the use or disclosure of PHI. When a CE uses a BA to perform services the CE must impose safeguards on the PHI used by or disclosed to Bas.

General Principle for Uses and Disclosures

Basic Principle. A CE may not use or disclose PHI except (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.

Required Disclosures. A CE must disclose PHI (a) to individuals (or their personal representatives) when they request access to, or an accounting of disclosures of their PHI; and (b) to HHS in a compliance investigation or enforcement action.

Permitted Uses and Disclosures

Permitted Uses and Disclosures. A CE may use and disclose PHI without an individual's authorization (1) to the Individual; (2) for treatment, payment, and healthcare operations; (3) where the individual is incapacitated, in an emergency situation, or not available; (4) incident to an otherwise permitted use and disclosure; (5) for public interest; and (6) limited data set for research, public health or healthcare operations.

Authorized Uses and Disclosures

Authorization. A CE must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment or healthcare operations or is otherwise permitted or required (e.g. disclosure to a life insurer for coverage purposes, to an employer of the results of a pre-employment physical or lab test). All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. A CE must obtain an individual's authorization to use or disclose psychotherapy notes (with exceptions).

Marketing. A CE must obtain an authorization to use or disclose PHI for marketing, except for face-to-face marketing communications between a CE and an individual, and for a CE's provision of promotional gifts of nominal value.

Limiting Uses and Disclosures to the Minimum Necessary

Minimum Necessary. A CE must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request. A CE must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.

Access and Uses. A CE must develop and implement policies and procedures that restrict access and uses of PHI based on the specific roles of their workforce members: identify the persons, or classes of persons, who may access PHI, the categories of PHI, and any conditions under which they may have access to the PHI.

Disclosures and Requests for Disclosures. A CE must establish and implement policies and procedures for routine, recurring disclosures, or requests for disclosures.

Notice and Other Individual Rights

Privacy Practices Notice. A CE must provide a notice of its privacy practices. A CE healthcare provider with a direct treatment relationship must deliver a privacy practices notice: (a) not later than the first service encounter; (b) by posting the notice at each service delivery site; and (c) in emergency treatment situations, as soon as practicable after the emergency abates.

Acknowledgement of Notice Receipt. A CE with a direct treatment relationship with individuals must make a good faith effort to obtain written acknowledgement from patients of receipt of the privacy practices notice. The provider must document the reason for any failure to obtain the patient's written acknowledgement.

Access. Except in certain circumstances (e.g. psychotherapy notes), individuals have the right to review and obtain a copy of their PHI.

Amendment. Individuals have the right to have CEs amend their PHI when that information is inaccurate or incomplete. If a CE accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the CE knows might rely on the information to the individual's detriment. If the CE denies the request, it must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record.

Disclosure Accounting. Individuals have a right to an accounting of the disclosures of their PHI by a CE or the CE's BA. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a CE is not obligated to account for any disclosure made before its Privacy Rule compliance date.

Restriction Request. Individuals have the right to request that a CE restrict use or disclosure of PHI for treatment, payment or healthcare operations, disclosure to persons involved in the individual's healthcare or payment for healthcare, or disclosure to notify family members or others about the individual's general condition, location, or death. A CE is under no obligation to agree to requests for restrictions.

Confidential Communications Requirements. Health plans and covered healthcare providers must permit individuals to request alternative means or location for receiving communications of PHI other than those that the CE typically employs.

Administrative Requirements

CE range from the smallest to the largest. The flexibility and scalability of the Rule allow CEs to implement solutions appropriate for their own environment.

Privacy Policies and Procedures. A CE must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.

Privacy Personnel. A CE must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person responsible for receiving complaints and providing individuals with information on the CE's privacy practices.

Workforce Training and Management. The CE must train its employees, volunteers, trainees, and other persons under its direct control on its privacy policies and procedures. A CE must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures.

Mitigation. A CE must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of PHI by its workforce or its business associates in violation of its privacy policies and procedures.

Data Safeguards. A CE must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI

Complaints. A CE must have procedures for individuals to complain about its compliance with its privacy policies and procedures; e.g. identify to whom individuals can submit complaints.

Retaliation and Waiver. A CE may not retaliate against a person for exercising rights provided by the Privacy Rule or require an individual to waive any right as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.

Documentation and Record Retention. A CE must maintain for six years from the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.

Other Provisions: Personal Representatives and Minors

Personal Representatives. A CE must treat a "personal representative" in the same manner as the individual, unless the CE has a reasonable belief that the personal representative may be abusing or neglecting the individual, or could endanger the individual.

Special case: Minors. In most cases, parents are the personal representatives for their minor children, and can exercise individual rights. If the parent is not considered the personal representative, the Privacy Rule defers to State law to determine the rights of parents to access and control the PHI of their minor children. If State and other law are silent, a healthcare professional in the exercise of professional judgment may grant or deny a parent access to the minor's PHI.

Enforcement and Penalties for Noncompliance

Compliance. There is no private right of action. The Rule provides processes for persons to file complaints with HHS, which may elect to conduct and investigation.

Civil Money Penalties. HHS may impose civil money penalties on a CE of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical requirement in a calendar year.

Exceptions: when a violation is due to reasonable cause and did not involve willful neglect and the CE corrected the violation within 30 days of when it knew or should have known of the violation.

Criminal Penalties. A person who knowingly obtains or discloses PHI faces a fine of $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.

Compliance Dates

Compliance Schedule. All CEs, except "small health plans," must be compliant with the Privacy Rule by April 14, 2003. Small health plans, however, have until April 14, 2004 to comply.

Copies of the Rule & Related Materials

The entire Privacy Rule, as well as guidance and additional materials, may be found at http://www.hhs.gov/ocr/hipaa.