For other versions of this document, see http://wikileaks.org/wiki/CRS-RS20934 ------------------------------------------------------------------------------ Order Code RS20934 Updated April 30, 2003 CRS Report for Congress Received through the CRS Web A Brief Summary of the HIPAA Medical Privacy Rule Gina Marie Stevens Legislative Attorney American Law Division Summary This report provides a brief overview of the modified HIPAA Privacy rule, "Standards for the Privacy of Individually Identifiable Health Information"("privacy rule") published on August 14, 2002 by the Department of Health and Human Services (HHS).1 Issuance of the modified Privacy Rule by the Bush Administration is the culmination of a decades long debate over access to medical records that has pitted privacy advocates and civil libertarians against employers and much of the health care industry. As required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), a privacy rule was issued in December 2000, and modified August 2002. The privacy rule went into effect April 14, 2001, with compliance required by April 2003 for most entities.2 The HIPAA Privacy Rule establishes a set of basic consumer protections and a series of regulatory permissions for uses and disclosures of protected health information. S. 16, introduced in the 108th Congress by Senator Daschle, would reverse some modifications to the rule. This report will be updated. Background. In recent years, our society has come to rely increasingly on medical information to perform basic functions and to make decisions about individuals. However, a number of fundamental developments have threatened the confidentiality of health-care information, and are the cause of a great deal of concern. The emergence of third-party payment plans; the use of health-care information for non-health care purposes; the growing involvement of government agencies in virtually all aspects of health care; and the exponential increase in the use of computers and automated information systems for health record information have combined to put substantial pressure on traditional confidentiality protections. In addition, an increasing number of parties involved in health care treatment, payment, and oversight have routine access to personally identifiable health records. Greater utilization of health-care information 1 [http://www.hhs.gov/ocr/combinedregtext.pdf]. 2 See CRS Report RS21505, Compliance with the HIPAA Medical Privacy Rule, by Gina Stevens. Congressional Research Service ~ The Library of Congress CRS-2 coupled with inadequate confidentiality protections has increased the potential for unauthorized uses and disclosures of medical information. The disclosure of personally identifiable health-care information can profoundly affect people's lives. "It affects decisions on whether they are hired or fired; whether they can secure business licenses, and life insurance; whether they are permitted to drive cars; whether they are placed under police surveillance or labeled a security risk; or even whether they can get nominated for and elected to political office."3 Other secondary uses of health-care information, such as the use of genetic test results for employment and insurance purposes, have the potential to result in harm to the health-care subject if the information is disclosed for unauthorized purposes. These factors accentuate the need for strong legal safeguards. Medical Privacy Laws. The confidentiality of health-care information is governed by various federal, state, and local statutes, ordinances, regulations, and case law. Also applicable are private accreditation standards, such as those of the Joint Commission on Accreditation of Healthcare Organizations, internal policies of particular institutions, and ethical guidelines of professional organizations. Prior to the issuance of the HIPAA privacy rule, federal laws did not address the confidentiality of health-care information collected and maintained by the private sector (i.e., doctors, hospitals, health plans, health insurers, and other health-care related entities). A major impetus for the enactment of HIPAA's privacy requirement was the absence of a comprehensive federal law that protected the confidentiality of patient records in all settings. Another impetus for the enactment of HIPAA was the lack of uniformity among the states in their treatment of the confidentiality of health-care information. There was substantial variation between the states on many aspects of medical records law. These differences are becoming much more critical in the collection, maintenance, and disclosure of health-care information as it is transmitted through interstate commerce amongst patients, physicians, health-care facilities, employers, government agencies, and insurers located in different states and subject to different laws. To address this disparity, HIPAA provides that state law, except for certain specified laws (concerning public health surveillance) and state laws that are more stringent, is preempted by the federal privacy rule. A compendium of state laws issued July 20, 1999 and November 2002 by Georgetown University's Health Privacy Project, "The State of Health Privacy: An Uneven Terrain", identifies medical records privacy provisions from state legislative codes. The report covers only state statutes and divides them by patient access, restrictions on disclosure, privilege, and condition specific requirements.4 HIPAA. Several comprehensive medical records confidentiality bills were introduced during the past decade, with the end result being passage of the medical privacy requirements as part of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, 42 U.S.C. §§ 1320d et seq., was created to improve the portability and continuity of health insurance coverage, to combat waste, fraud and abuse in health care, to promote the use of medical savings accounts, to improve access to long term care, and to simplify the administration of health insurance. Sections 261 through 264 of HIPAA are known as the administrative simplification provisions. The general 3 A. Westin, Computers, Health Records, and Citizen's Rights 60 (1976). 4 See, [http://www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm]. CRS-3 administrative simplification rule requires health care payers and providers who transmit transactions electronically to use standardized data elements to conduct financial and administrative transactions. Section 262 directs HHS to issue standards to facilitate the electronic exchange of information, and to develop standards to protect the security of such information. Section 264 of HIPAA requires HHS to submit to the Congress detailed recommendations on standards with respect to privacy rights for individually identifiable health information. The Secretary made preliminary privacy recommendations to Congress in September 1997, based on the core fair information principles of notice, consent, access, security, and enforcement/redress, to: limit the use of an individual's health care information to health purposes only; require organizations to provide adequate security measures to protect information from misuse or disclosure; provide patients with new rights to control how their health information is used, such as the ability to get copies of records and propose corrections; hold those who misuse personal health information accountable, and provide redress for persons harmed by its misuse through criminal and civil penalties; and balance privacy protections with public responsibility to support national priorities, including public health, research, quality care, and reduction of fraud and abuse, including allowing law enforcement access to personal health information. In the 106th Congress several proposals to protect health information were considered, but Congress did not pass legislation. None of the bills were reported out of committee, with disagreements over the patient's right to sue, parental notification of minor's access to health care, and preemption precluding agreement. In the absence of the enactment of federal legislation, HIPAA required HHS to issue privacy regulations. The December 2000 Privacy Rule. The final privacy regulation was published in the Federal Register on December 28, 2000 at 65 Fed. Reg. 82462, shortly before the Clinton Administration left office, and after HHS received over 52,000 comments on its initial proposal. Its original effective date of February 26, 2001 was subsequently changed to April 14, 2001.5 Enforcement of the rule begins in April 2003, except for small health plans (annual receipts of $5 million or less) who have until 2004 to comply. The medical privacy rule prohibits covered entities from disclosing protected health information to any third parties, unless the rules otherwise permit the disclosure. Applicability. The rule covers health plans, health care providers, and health care clearinghouses (entities that process or facilitate the processing of nonstandard data elements of health information into standard data elements). It only covers information that is electronically transmitted or maintained. It covers protected health information in any form, whether oral, written or electronic. Individual Rights. Individuals are given a right of access to their health information, a right to receive notice of the covered entity's privacy policies, a right to request amendments of their information, a right to an accounting of the disclosures made, and a right to file complaints regarding use or disclosure of their information. Individuals may request that restrictions be placed on the disclosure of their health information. 5 66 Fed. Reg. 12433 (Feb. 26, 2001)(the delayed effective date occurred as a result of HHS' failure to submit the rule to Congress for the required 60-day review period until February 13, 2001); see also 5 U.S.C. § 801(a)(1). CRS-4 Permitted Uses and Disclosures With Consent or Authorization. The use of protected health information for treatment, payment, or health care operations (a provider's or health plan's management and other activities necessary for support of treatment or payment) requires the prior written consent of a patient. Disclosures for purposes other than treatment, payment, and health care operations require a prior written authorization. Permitted Uses and Disclosures Without Consent or Authorization. Certain public priority uses and disclosures of information do not require prior written consent or authorization (such as health system oversight, public health activities, certain research activities, law enforcement, judicial and administrative proceedings, emergency treatment, and imminent threats to the health or safety of any person). Covered entities are permitted to disclose information to law enforcement for purposes of health care oversight (i.e., investigations of health care fraud, government program fraud, and civil rights investigations), for general law enforcement investigations (i.e., in response to grand jury subpoenas and court orders), to avert a serious threat to health and safety, to coroners and medical examiners, for investigations involving abuse, neglect, or domestic violence. Information Practices. Disclosures of protected health information other than for treatment purposes must use only the "minimum necessary" information. Covered entities must enter into contracts with "business associates" requiring them to protect individual health information, and must take action if they know of practices by their business associates that violate the contractual agreement. Covered entities must adhere to specific procedures in using information for fundraising or marketing. There are special requirements that apply to both federal and privately funded research. Psychotherapy notes may not be used or disclosed to others without explicit authorization. Preemption. State law, except for certain specified laws (concerning public health surveillance) and state laws that are more stringent, is preempted by the federal rule. Enforcement. The Secretary, covered entities, and others are required to ascertain compliance with, and enforcement of the privacy regulation. Any person may file a complaint with the HHS Office for Civil Rights. In cases of noncompliance, the Secretary is directed to resolve the matter by informal means. If the matter cannot be resolved informally, the Secretary may issue written findings of non-compliance that may be used as a basis for initiating action (civil monetary penalties) or a criminal referral. Penalties. Violators will be subject to civil monetary penalties ($100 per violation up to $25,000 per year), and criminal penalties (up to $250,000 and imprisonment up to 10 years) against covered entities that knowingly and improperly disclose identifiable health information. The regulation does not authorize patients to sue. Instead, the law provides that individuals must direct their complaints to HHS' Office for Civil Rights (OCR).6 OCR maintains a Web site with information on the new regulation, including guidance at [http://www.hhs.gov/ocr/hipaa/]. HHS also recently issued a 20 page "Summary of the HIPAA Privacy Rule."7 HHS will enforce the civil money penalties, and the Department of Justice will enforce the criminal penalties. 6 See [http://www.ehcca.com/presentations/hipaa6/campanelli.pdf]. 7 [http://www.hhs.gov/ocr/privacysummary.pdf]. CRS-5 The final privacy rule was criticized by some for its complexity, and for the imposition of substantial administrative and financial burdens on the health care industry. At the same time, the regulation was applauded by privacy advocates, consumer groups, and some health care industry participants. The General Accounting Office found that considerable uncertainty existed regarding the actions needed to comply with the new privacy regulations. Major concerns among stakeholder groups and the Congress centered on consent and authorization procedures; contractual liability and business associates; parental access to minors' health information (typically related to substance abuse, mental health treatment, and reproductive care); preemption of state laws; law enforcement access to protected health information; costs; and technical assistance. The August 2002 Privacy Rule. The Bush Administration and HHS re-opened the privacy rule to additional comment on February 8, 2001,8 and announced that it would accept further comments on the rule until March 30, 2001, see 66 Fed. Reg. 12378. The scope and cost of the rule, coupled with the substantial nature of some concerns raised in the initial comment period, led HHS to conclude that an additional comment period was warranted. On April 12, 2001, Secretary Thompson announced that HHS would immediately begin the process of implementing the patient privacy rule, of issuing guidelines, and of considering any necessary modifications. Several areas were targeted for clarification or modification: impediments to information sharing; consent and authorization procedures; parental access to minors' health information; uses and disclosures for treatment, payment, and health care operations; notices of privacy practices; minimum necessary uses and disclosures; oral communications; business associates; uses and disclosures for marketing; parents as the personal representatives of unemancipated minors; uses and disclosures for research purposes; uses and disclosures for which authorizations are required; and de-identification. On July 6, 2001 HHS issued interpretative guidance materials on the rule.9 In response to numerous and extensive comments received by HHS, along with intense lobbying efforts by various stakeholders, in March 2002 the Bush Administration issued proposed modifications to the privacy rule in the Federal Register at 67 Fed. Reg. 14775, and permitted a 30-day comment period on its proposal. On August 14, 2002, HHS published in the Federal Register the privacy rule with certain modifications, 67 Fed. Reg. 53181.10 The August 2002 modification is virtually unchanged from the March 2002 proposal, does not require Congressional approval, and has the force of law. A summary of significant final modifications follows. For detailed discussion of medical privacy issues, see CRS Report RS20500, Medical Records Privacy: Questions and Answers on the HIPAA Final Rule. Notice. The August 2002 rule adds a new requirement for health care providers with a direct treatment relationship, that they make a good faith effort to obtain an individual's written acknowledgment of receipt of the provider's privacy notice. 8 During the 12 month period after the standards are initially adopted, the Secretary is permitted to modify the standards only if necessary to permit compliance. After the first year of adoption, HHS may modify the standards not more than once every 12 months. 42 U.S.C. § 1320d-3(b). 9 Available at [http://www.hhs.gov/ocr/hipaa/finalmaster.html]. 10 Available at [http://www.hhs.gov/ocr/combinedregtext.pdf]. CRS-6 Consent and Authorization. The requirement for providers to obtain an individual's prior written consent to use or disclose protected health information for treatment, payment or health care operations was eliminated. The August 2002 rule permits covered entities to obtain consent, but does not require it. Although patient authorizations will still be required to use and disclose information for purposes outside of treatment, payment, and health care operations, the August 2002 rule standardizes the core requirements in authorization forms, and allows health care groups to use a single type of authorization to get permission to use information for a specific purpose or disclosure. Minimum Necessary. The August 2002 rule exempts from the minimum necessary standards any uses or disclosures for which an authorization has been received. Incidental Use and Disclosure. The August 2002 rule explicitly permits incidental disclosures resulting from activities such as discussions at nursing stations, the use of sign-in sheets, calling out names in waiting rooms, etc. provided reasonable safeguards and minimum necessary requirements are met. Business Associates. The August 2002 rule allows covered entities, except small health plans, up to one year beyond the April 14, 2003 enforcement date to change existing contracts with business associates. Marketing. The August 2002 rule requires covered entities to obtain prior patient authorization for marketing, except for a face-to-face communication or a communication involving a promotional gift of nominal value. The rule distinguishes between activities that are and are not marketing. The definition of "marketing" in the new rules excludes communications by a health care provider promoting its own goods and services. Medical Information of Minors. The December 2000 privacy rule generally gives control of health information about a minor to the parent, guardian, or person acting in loco parentis. The August 2002 rule clarifies that state law governs in the area of parents and minors, and that HIPAA does not overturn state laws that give providers discretion to disclose or deny health information to parents. Research. The December 2000 privacy rule provides that protected health information may not be used or disclosed for research without either a written authorization or a waiver of authorization approved by an Institutional Review Board or a Privacy Board. In the August 2002 rule, HHS significantly simplified the administrative burdens for obtaining authorizations and assessing requests for waivers of authorization. Disclosures to Obtain Payment. The December 2000 rule prevents a provider from disclosing protected health information to another entity for other than treatment purposes. A covered entity is permitted to disclose protected health information to other covered entities and to noncovered health care providers to enable for payment purposes. Legislation. S. 16, The Equal Rights and Equal Dignity for Americans Act, would, among other things, reverse August 2002 modifications to the privacy rule (section 903). ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RS20934