For other versions of this document, see http://wikileaks.org/wiki/CRS-RS20500 ------------------------------------------------------------------------------ Order Code RS20500 Updated February 4, 2005 CRS Report for Congress Received through the CRS Web Medical Records Privacy: Questions and Answers on the HIPAA Rule C. Stephen Redhead Specialist in Life Sciences Domestic Social Policy Division Summary The HIPAA privacy rule gives patients the right of access to their medical information and prohibits health plans and health care providers from using or disclosing individually identifiable health information without a patient's written authorization except as expressly permitted or required by the rule. Plans and providers are permitted to use and disclose health information for treatment, payment, and other routine health care operations and for various specified national priority activities (e.g., law enforcement, public health, research). Providers may also share certain information with family members and others, as long as the patient is given the opportunity to object. Health plans and providers must give enrollees and patients a notice explaining their privacy rights and how their information will be used. They are also required to have in place reasonable safeguards to protect the privacy of patient information and, in general, must limit the information used or disclosed to the minimum amount necessary to accomplish the intended purpose of the use or disclosure. Entities that fail to comply with the rule are subject to civil and criminal penalties, but patients do not have the right to sue in federal court for violations of the rule. The privacy rule does not preempt, or override, state laws that are more protective of medical records privacy. Introduction Health plans and health care providers and their business associates are subject to the federal health information privacy regulation (45 CFR Parts 160, 164). The privacy rule gives patients the right of access to their medical information and prohibits health plans and health care providers from using or disclosing individually identifiable information without a patient's written authorization except as expressly permitted or required by the rule. For routine health care operations, including treatment and payment, plans and providers may use and disclose health information without the individual's authorization. In certain other circumstances (e.g., disclosures to family members and friends), the rule requires plans and providers to give the individual the opportunity to object to the disclosure. The rule also permits the use and disclosure of health information without the individual's permission for various specified activities (e.g., public health oversight, law enforcement) that are not Congressional Research Service ~ The Library of Congress CRS-2 directly connected to the treatment of the individual. For uses and disclosures that are not permitted by the rule, plans and providers must obtain a patient's written authorization. They must also have in place reasonable administrative, technical, and physical safeguards to protect patient information from intentional or unintentional uses or disclosures that are in violation of the rule. The health privacy rule is one of several new standards mandated by the 1996 Health Insurance Portability and Accountability Act (HIPAA) to support the growth of electronic record keeping and claims processing in the nation's health care system. Under HIPAA, the Secretary of Health and Human Services (HHS) has issued electronic format and data standards for several routine administrative transactions between plans and providers (e.g., claims for payment). The Secretary has also issued security standards to safeguard electronic patient information against unauthorized access, use, and disclosure. Most plans and providers have until April 21, 2005, to comply with the security standards. The HIPAA privacy and security standards have helped lay the groundwork for the adoption of information technology (IT) systems in health care to support the electronic collection and exchange of patient information. Developing a secure platform to protect confidential health information is central to the growth of a national health information infrastructure that allows health care providers to share patient information. A small but growing number of communities and health care systems around the country have developed electronic medical records and established secure networks for the exchange of health data among providers, patients, and other authorized users. The creation of regional networks is seen as a critical step toward the goal of interconnecting the health care system nationwide. The handling of electronic patient information by these networks has important and, as yet, not fully understood implications for the privacy rule, which was developed with the traditional paper-based system of medical records in mind. Questions and Answers about the Health Privacy Rule Who Is Covered? As specified under HIPAA, the privacy regulation applies to three groups of entities: (i) individual and group health plans that provide or pay for medical care; (ii) health care clearinghouses (i.e., entities that facilitate and process the flow of information between health care providers and payers); and (iii) health care providers who transmit health information electronically in a standard format in connection with one of the HIPAA-specified transactions, or who rely on third-party billing services to conduct such transactions. The rule, therefore, does not apply directly to other entities that collect and maintain health information such as life insurers, researchers, employers (unless they are acting as providers or plans), and public health officials. However, business associates with whom covered entities share health information are covered. Business associates include persons who provide legal, actuarial, accounting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity. The rule permits a covered entity to disclose health information to a business associate or to allow the business associate to create or receive health information on its behalf, provided both parties sign a written contract that essentially binds the business associate to the covered entity's privacy practices. What Types of Health Information Are Covered? The rule covers all individually identifiable health information that is created or received by a covered entity, including genetic tests and information about an individual's family history. It applies to CRS-3 both paper and electronic records, as well as oral communications. Health information from which all personal identifiers have been removed is not subject to the rule. Can Patients Access and Amend Their Health Information? Yes, covered entities must allow patients to inspect or obtain a copy of their health information, except in certain limited circumstances. Covered entities may charge a reasonable, cost-based copying fee. Patients may also request amendment or correction of information that is incorrect or incomplete. Finally, patients have the right to receive a detailed accounting of certain types of disclosures of their health information made by covered entities during the past six years. Disclosures for routine health care operations and those made pursuant to an authorization (see below) are exempt from the accounting requirement. How May Plans and Providers Use and Disclose Patient Information? The privacy rule places certain limitations on when and how health plans and health care providers may use and disclose medical information. Generally, plans and providers may use and disclose health information for their own treatment, payment, and health care operations (TPO) without the individual's authorization and with few restrictions. A covered entity may also disclose information for: the treatment and payment activities of another provider; the payment activities of another health plan; and for certain health care operations of another covered entity, if each entity has a relationship with the patient. For example, a physician can mail or fax medical test results or a patient's medical record to a specialist who intends to treat the patient, provided that "reasonable safeguards" are used. Patients may request that covered entities restrict the use and disclosure of their information for TPO, but covered entities are not required to agree to such a request. The privacy rule also permits the disclosure of health information without a patient's authorization for the following specified national priority activities, consistent with other applicable laws and regulations. First, disclosures may be made for public health purposes (e.g., reporting diseases, collecting vital statistics), as required by state and federal law. Second, health information may be disclosed to public agencies to conduct health oversight activities such as audits; inspections; civil, criminal, or administrative proceedings; and other activities necessary for oversight of the health care system. Third, disclosures may be made to law enforcement officials pursuant to a warrant, subpoena, or order issued by a judicial officer, or pursuant to a grand jury subpoena. Disclosures for law enforcement purposes are also permitted pursuant to an administrative subpoena or summons where a three-part test is met (i.e., the information is relevant, the request is specific, and non-identifiable information could not reasonably be used). Fourth, health information may be disclosed in judicial and administrative proceedings if the request for the information is made through or pursuant to a court order. Fifth, covered entities may disclose health information to researchers without a patient's authorization, provided an Institutional Review Board (IRB) or an equivalent, newly formed "privacy board" reviews the research protocol and waives the authorization requirement.1 1 All federally funded research that involves human subjects, as well as clinical trials of new drugs and medical devices (regardless of the source of funding), are governed by a set of federal regulations called the Common Rule (45 CFR Part 46, Subpart A). Under the Common Rule, research proposals must be approved by an IRB, which decides whether or not to require informed consent based on the level of risk to the research subjects. CRS-4 Additionally, health information may be disclosed without authorization: (i) to coroners, medical examiners, and funeral directors; (ii) to workers' compensation programs; (iii) to a government authority authorized to receive reports of abuse, neglect, or domestic violence; (iv) to organizations in order to facilitate organ, eye, and tissue donation and transplantation; (v) to government agencies for various specialized functions (e.g., national security and intelligence activities); (vi) to avert a serious threat to health or safety; (vii) and in other situations as required by law. For the most part, the privacy rule addresses permissible uses and disclosures. HHS expects covered entities to rely on their professional judgement in deciding whether to permit the use or disclosure of health information. Covered entities are required to disclose information only to the individual who is the subject of the information and to HHS for enforcement of the rule. For all uses and disclosures of health information that are not otherwise required or permitted by the rule, covered entities must obtain a patient's written authorization (e.g., releasing information to financial institutions that offer mortgages and other types of loans, or selling mailing lists to marketing companies). Authorization forms must contain certain specified core elements including a description of the health information to be used or disclosed and the identity of the recipient of the information. In general, a covered health care provider may not condition treatment on receiving a patient's authorization. Health plans may condition enrollment or eligibility for benefits on the provision of an authorization prior to an individual's enrollment in the plan. Patients may in writing revoke their authorization at any time. Can Medical Information Be Shared with a Patient's Family or Friends? Yes, the rule permits covered entities to disclose information to a family member, relative, close friend, or other person identified by the individual. Only information that is directly relevant to such person's involvement with the individual's care may be shared. If the individual is present and able to make health care decisions, the covered entity may disclose information provided (1) the patient has been given, in advance, the opportunity to object to any disclosures, or (2) the covered entity, using professional judgment, reasonably infers that the patient does not object. In an emergency situation or if the patient is not present, the covered entity may use its professional judgment and experience with common practice in deciding whether a disclosure is appropriate. HHS has repeatedly stated that it is not the intent of the rule to impede common health care practices (e.g., hospitals discussing treatment options with spouses and relatives, and family members picking up a prescription). Does the Rule Restrict Parental Involvement and Notification? In general, a parent is deemed to have the rights associated with a minor's health information, including the right to authorize disclosure or to request access to the information. But if a minor is authorized by law to consent to treatment and has consented to care (with or without the consent of a parent), or if the parent has assented to an agreement of confidentiality between a provider and a minor, then the minor has the exclusive rights associated with that information. The rule, however, defers to state parental notification laws. It allows covered entities to disclose a minor's information to a parent (or provide the parent with access to such information) if such disclosure is permitted or required by state law. Similarly, disclosure to (and access by) a parent is prohibited where prohibited by state law. Where state law is silent or unclear about CRS-5 parental notification, the rule permits a covered entity to provide or deny access to the parent provided that action is consistent with state law. Are There Limits on the Amount of Information Disclosed? The rule requires that whenever a covered entity uses or discloses health information, or requests such information from another covered entity, it must make a reasonable effort to limit the information to the minimum amount necessary to accomplish the intended purpose of the use or disclosure. The minimum necessary standard does not apply to: disclosures to or requests by a provider for treatment purposes; disclosures made to patients upon their request; disclosures made to the Secretary to enforce compliance; authorized uses or disclosures; and uses or disclosures that are required by law. What about Incidental Disclosures? Incidental uses and disclosures of health information that occur as a result of a use or disclosure that is otherwise permitted under the privacy rule are not considered violations of the rule, provided that the covered entity has met the reasonable safeguards and minimum necessary standards. Examples of incidental uses and disclosures include patient sign-in sheets, bedside charts, and confidential conversations that are inadvertently overheard by others. Are Covered Entities Required to Explain Their Privacy Practices to Patients? Health plans and health care providers must provide patients with a written notice of their privacy practices. Plans are required to give notice at enrollment. Providers that have a direct treatment relationship with the patient are required to give notice at the date of first service delivery and, except in emergency situations, make a good faith effort to obtain a written acknowledgment from the patient of receipt of the notice. The notice must include a description of the patient's rights, the legal duties of the covered entity, and a description of the types of uses and disclosures of information that are permitted, including those that do not require an authorization. Does the Rule Restrict Employers' Access to Health Information? The rule permits a group health plan to disclose individually identifiable health information to an employer that sponsors the plan, provided the information is used only for plan administration purposes. In order for a group health plan to disclose health information to a plan sponsor, the plan documents must be amended so that they limit the uses and disclosures of information by the sponsor to those consistent with the privacy rule. In addition, an employer must certify to a group health plan that it will not use the information for employment-related actions (e.g., hiring and promotion decisions). The employer must agree to establish adequate firewalls, so that only those employees that need health information to perform functions on behalf of the group health plan have access to such information. Can Health Information Be Used for Marketing? A covered entity may not disclose health information to a third party (e.g., pharmaceutical company), in exchange for direct or indirect remuneration, for the marketing activities of the third party without first obtaining a patient's authorization. Similarly, a covered entity may not use or disclose health information for its own marketing activities without authorization. However, communications made by a covered entity (or its business associate) to encourage a patient to purchase or use a health care-related product or service are not defined as marketing under the rule and, therefore, do not require the patient's authorization, even if the covered entity is paid. Such communications include CRS-6 prescription refill reminders and information about alternative treatments, as well as more controversial activities paid for by third parties (e.g., communications by pharmacies, paid for by a drug manufacturer, that recommend patients switch their medication to the company's product). What Must Covered Entities Do to Ensure Compliance? Covered entities must have reasonable administrative, technical, and physical safeguards in place, commensurate with the size and scope of their business, to protect the privacy of patient information. These include designating a privacy official, training employees, and developing a system of sanctions for employees who violate the entity's policies. Covered entities are not directly liable for the actions of their business associates. They may be held liable if they know of a business associate's pattern of activity or practice in violation of the contract unless they take reasonable steps to correct the problem and, if such steps are unsuccessful, terminate the contract or report the problem to HHS. Does the Rule Preempt State Health Privacy Laws? As mandated by HIPAA, the rule does not preempt, or override, state laws that are more protective of patient privacy. Although most states do not have comprehensive health privacy laws, many states have detailed, stringent standards governing the use and disclosure of health information related to certain medical conditions, such as mental illness, genetic testing, and communicable diseases (e.g., HIV/AIDS). These stronger privacy protections will remain in force. The rule only preempts state laws that are in conflict with its requirements and that provide less stringent privacy protections. Therefore, it serves as a federal "floor" of minimum privacy protections. How Will the Rule Be Enforced? Any person who believes a covered entity is not complying with the privacy rule may file a complaint with HHS's Office of Civil Rights (OCR), which is responsible for implementing and enforcing the rule. OCR is working with covered entities to encourage voluntary compliance. It says that enforcement of the rule will be reactive and complaint-driven. Under HIPAA, OCR has the authority to impose civil monetary penalties against covered entities that fail to comply with the rule, and the Department of Justice may seek criminal penalties for certain wrongful disclosures of personal health information. The civil fines are $100 per incident, capped at $25,000 per year for each provision that is violated. The criminal penalties include fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm. HIPAA did not provide a private right of action for individuals to sue for violations of their health information privacy in federal court. However, nothing in HIPAA prohibits aggrieved individuals from filing a state law claim against a covered entity for its noncompliance and resulting harm. Where Can I Obtain More Information? General information on all the HIPAA standards can be found at [http://aspe.os.dhhs.gov/admnsimp]. Implementation guidance, answers to frequently asked questions, and other details on complying with the privacy rule may be found on the OCR website at [http://www.hhs.gov/ocr/hipaa]. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RS20500