Copyright 2000 Federal News Service, Inc.
Federal News Service
February 17, 2000, Thursday
SECTION: PREPARED TESTIMONY
LENGTH: 8055 words
HEADLINE:
PREPARED TESTIMONY OF HONORABLE MARGARET A. HAMBURG, M.D., ASSISTANT SECRETARY
FOR PLANNING AND EVALUATION U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
BEFORE THE HOUSE COMMITTEE ON WAYS AND MEANS
SUBCOMMITTEE ON HEALTH
SUBJECT - THE CONFIDENTIALITY OF PATIENT
RECORDS
BODY:
Mr. Chairman, Congressman
Stark, distinguished members of the Committee: I appreciate the opportunity to
appear before you to discuss the need for federal legislation to ensure
comprehensive privacy safeguards for health information. This issue is a top
priority for the Department and the Administration, and although the regulation
that we recently proposed serves as a foundation for providing strong privacy
protections for consumers' health information, we continue to believe that
legislation is ultimately necessary if we are to appropriately protect the
privacy of the health information of all Americans.
As the outset, I
want to commend the members of this Subcommittee Mr. Thomas, Mr. Stark, and Mr.
McDermott, as well as Mr. Cardin, for their interest in health care privacy and
efforts to develop this important and complex legislation. In addition, we are
encouraged by the recent appointment of two congressional task forces to address
privacy issues. The "Congressional Privacy Caucus" has the potential to generate
the momentum needed to enact legislation this year.
As you may remember,
Secretary Shalala first presented her recommendations, required by the Congress
under Section 264 of the Heath Insurance Portability and Accountability Act
(HIPAA), in September 1997.(1) I think it is fair to say that the
recommendations were well received and have been used to assist others in
crafting their own legislative proposals. HIPAA also requires that if
legislation establishing comprehensive privacy protection was not enacted by
August of last year, HHS must prepare final regulations. We assembled an
interagency team to assist us in preparing the proposed regulation, including
representatives from the Departments of Labor, Defense, Justice, Commerce, the
Social Security Administration, the Office of Personnel Management, the
Department of Veterans Affairs, and the Office of Management and Budget. We
published the proposed rule on November 3 of 1999; the period for public comment
closes today, February 17, 2000, and we will call upon a similarly broad team to
review and respond to the public comments.
We explained the basis for
our proposals in detail in the preamble to the proposed rule and asked for
comments on over 150 specific issues. We are committed to reviewing all the
public comments. Nothing in our proposed rule is set in stone. We are committed
to achieving the proper balance between ensuring patient privacy and the needs
of the health care system to function properly and continue advances in medical
treatment. Our commitment to 'getting it right' led us to extend the comment
period fro January 3 to February 17, so the public and stakeholders would have
adequate time to consider the proposed rule, comment, and suggest alternative
proposals.
Since we have just begun to review the comments, I will not
speculate on or debate the contents of the final rule today. I can tell you
that, as of yesterday, we had received over 30,000 comments by mail or hand
delivery, and another 10,000 on our web site. Further, we met with dozens of
individuals and organizations to hear more about their concerns and clarify
provision of the proposed rule.
While we are moving ahead to prepare the
final regulation, the President and Secretary Shalala have made it very clear
that their first priority is to see Congress enact a health information
privacy bill that builds upon the progress made by our proposed
regulation and ensures comprehensive privacy protections. We believe our rule
will be a very good start in providing confidentiality protections, but
legislation is needed to complete this important task and provide the
protections envisioned in the Secretary's recommendations. Our staff have been
working closely with many of your staff, and staff in the Senate, to assist you
in achieving that goal. Again, let me reiterate, we want to see legislation, and
we want to work with you to make that happen.
The issue of
health information privacy is quite complex - in order to
resolve it legislatively, some difficult choices will have to be made. We
believe that our recommendations strike the appropriate balance between the
privacy needs of our citizens and the critical needs of our health care system
and our nation. This is an issue that touches every single American, and to
reach resolution we will need a bipartisan effort.
THE NEED FOR
LEGISLATION
It has been over 25 years since a public advisory committee
appointed by former HEW Secretary Elliot Richardson set forth principles of fair
information practices that led to the landmark Federal Privacy Act. The Privacy
Act is premised on the idea that individuals have a right to know what personal
information the government holds about them, how that information will be used,
and the right to review that information. Those 25 years have brought vast
changes in our health care system.
Changes in our health care delivery
system mean that we must place our trust in entire networks of insurers and
health care professionals - both public and private. The computer and
telecommunications revolutions mean that information no longer exists in one
place - it can travel in real time to many hospitals, physicians, insurers, and
across state lines.
In addition, new discoveries in biology mean that a
whole new world of medical tests have the potential to help prevent disease.
However, they also reveal the most personal health information about an
individual and his or her family. Without safeguards to assure citizens that
getting tested will not endanger their families' privacy or health insurance, we
could endanger one of the most promising areas of research our nation has ever
seen.
Health care privacy can be safeguarded. It must be done with
national legislation, national education, and an on-going national conversation.
Currently, when we give a physician or health insurance company precious
health information, the level of protection will vary widely from state to
state. We have no comprehensive federal health information
privacy standards. Because the practice of health care is increasingly
becoming interstate through mergers, complex contractual relationships and
enhanced telecommunications, we can no longer rely on the existing patchwork of
state laws. The patchwork does not provide Americans the privacy protections
they need or expect. The Congress should seize upon this opportunity to create
strong federal standards and reassure the public that they can trust their
health care providers and insurers to keep their health information secure.
In developing our recommendations for federal legislation, we learned a
great deal through consultations with a variety of outside groups and from six
days of public hearings conducted by the National Committee on Vital and Health
Statistics, our statutory federal advisory committee for health data and privacy
policy. The hearings involved over 40 witnesses from across the health
community, including health care professionals, plans, insurance companies, the
privacy community, and the public health and research communities.
We believe our recommendations provide a balanced framework for
legislation that can protect the privacy of medical records, guarantee consumers
the right to inspect their records, and punish unauthorized disclosures of
personal health data by hospitals, insurers, health plans, drug companies or
others.
THE PRINCIPLES
The Secretary's recommendations for
legislation, and our proposed regulation, are grounded in five key principles:
Boundaries, Security, Consumer Control, Accountability, and Public
Responsibility.
Boundaries
The first is the principle of
Boundaries: With very few exceptions, personally identifiable health care
information should be disclosed for health purposes and health purposes only. It
should be easy to use it for those purposes, and very difficult to use it for
other purposes.
For example, employers should be able to use the
information furnished by their employees to provide on-site care or to
administer a health plan in the best interests of those employees. But those
same employers should not be able to use information obtained for health care
purposes to discriminate against individuals when making employment decisions -
such as hiring, firing, training, placements and promotions. To enforce these
boundaries, we recommend strong penalties for the inappropriate use or
disclosure of medical records.
We recommend that the legislation apply
specifically to providers and payers, and to anyone who receives health
information from a provider or payer, either with the authorization of the
patient or as authorized explicitly by legislation. To the extent allowed under
the HIPAA statute, we have taken this approach in our proposed regulation. Our
proposed rule would authorize the use and disclosure of personal information by
heath plans and providers without the person's consent for specified health care
and national priority purposes, and would require fair and informed consent from
individuals for all other uses. However, as discussed below, the statute limits
our authority to ensure that information that leaves a health plan or provider
remains protected.
Our recommendations also recognize that these
providers and payers do not act alone. In order for a provider or payer to
operate efficiently, it may need to enlist a service organization to perform an
administrative or operational function. For example, a hospital may hire an
organization to encode and process bills, or a managed care organization may
contract with a pharmaceutical benefit management company to provide information
to pharmacists about what medications are covered and appropriate for their
customers.
The numbers and types of service organizations are increasing
every day. While most do not have direct relationships with the patients, they
do have access to their personal health care information. Therefore, we
recommend that they should be bound by the same standards. For example, a health
plan's contractor should be allowed to have access to patient lists in order to
do mailings to remind patients to schedule appointments for preventive care. But
it should not be able to sell the patient lists to a pharmaceutical company for
a direct mailing announcing a new product (without the person's consent). With
the Business Partner provisions of our proposed Privacy Standards, we have taken
this approach to the extent allowed under the HIPAA statute.
Security
The second principle is Security. Americans need to feel secure that
when they give out personal health care information, they are leaving it in good
hands. Information should not be used or given out unless either the patient
authorizes it or there is a clear legal basis for doing so.
There are
many different ways that private information like your blood tests could become
public. People who are allowed to see it - such as lab technicians - can misuse
it either carelessly or intentionally. And people who should not be seeing it -
such as marketers or even hackers - can find a way to access it, either because
the organization holding the information doesn't have proper safeguards or the
marketers can find an easy way around the safeguards. To give Americans the
security they expect and deserve, Congress should develop legislation that
requires those who legally receive health information to take reasonable steps
to safeguard it or face consequences for failure to do so.
What do we
mean by reasonable steps? The organizations should be required to have in place
protective administrative and management techniques, educate their employees
about these procedures, and impose disciplinary sanctions against employees who
use information improperly or carelessly.
We addressed some of these
steps in our Security Standards regulation, implementing the Administrative
Simplification mandate under HIPAA.(2) That NPRM laid out a range of approaches
for safeguarding the information to which the HIPAA mandate applies. In the
privacy NPRM we proposed related steps for safeguarding health information, and
we will coordinate these requirements in the final Security and Privacy
regulations . However, these regulations will not reach all health information
held by health plans and providers. We need legislation to cover all health
information that needs this kind of protection.
We don't believe a law
can specify the details of these protections because each organization must keep
pace with the new threats to our privacy and the technology that can either
abate or exacerbate them. But a federal law can require everyone who holds
health information to have these types of safeguards in place and specify the
appropriate sanctions if the information is improperly disclosed. In our
regulations, we have proposed such a "scalable" approach, to reflect the
differences in the size and nature of the entities that hold health information.
The proposed regulations set forth the basic principles and general criteria for
securing health information, and leave the specific steps for meeting these
principles to each regulated entity. In this way, each entity can take the steps
most appropriate to its size, the nature of the information it holds, and its
business practices.
Consumer Control
The third principle is
Consumer Control. The principles of fair information practice (formulated in
1973 by a committee appointed by Secretary Richardson) included as a basic
right: "There must be a way for an individual to find out what information about
him is in a record and how it is used."
With very narrow exceptions,
consumers should have the right to find out what is contained in their records,
find out who has looked at them, and to inspect, copy and, if necessary, correct
them. Consumers should be given a clear explanation of these rights and they
should understand how organizations will use their information. Let me give you
an example of why this is important. According to the Privacy Rights
Clearinghouse, a California physician in private practice was having trouble
getting health, disability, and life insurance. She ordered a copy of her report
from the Medical Information Bureau - an information service used by many
insurance companies. It included information showing that she had a heart
condition and Alzheimer's disease. There was only one problem. None of it was
true. Unfortunately, under the current system these types of errors occur all
too often. Consumers often do not have access to their own health records and
even those who do are not always able to correct some of the most egregious
errors.
With that in mind, our Recommendations set forth a set of
practices and procedures that would require that insurers and health care
providers provide consumers with a written explanation of who has access to
their information and how that information will be used, how they can restrict
or limit access to it, and what their rights are if their information is
disclosed improperly.
We also recommend procedures for patients to
inspect and copy their information, and set out the very limited circumstances
under which patient inspection should be properly denied.
Finally, we
recommend a process for patients to seek corrections or amendments to their
health information to resolve situations in which innocent coding errors cause
patients to be charged for procedures they never received, or to be on record as
having conditions or medical histories that are inaccurate. The proposed privacy
standards follow these Recommendations.
Accountability
The fourth principle is Accountability. If you are using information
improperly, you should be punished. This flows directly from the second
principle of security - the requirement to safeguard information must be
followed by real and severe penalties for violations. Congress should send the
message that protecting the confidentiality of health information is vitally
important, and that people who violate that confidence will be held accountable.
We recommend that offenders should be subject to criminal felony
penalties if they knowingly obtain or use health care information in violation
of the standards outlined in our report. The penalties mandated in privacy
legislation should be higher when violations are for monetary gain. In addition,
when there is a demonstrated pattern or practice of unauthorized disclosure,
those committing it should be subject to civil monetary penalties.
In
addition to punishing the perpetrators, we must give redress to the victims. We
believe that any individual whose privacy rights have been violated should be
permitted to bring a legal action for actual damages and equitable relief. The
standard for such actions should not be set so high as to make the right
meaningless in practice. Attorney's fees and punitive damages should be
available when the violation is particularly egregious. As described more fully
below, the HIPAA legislative authority does not allow the regulation to
accomplish these goals.
These first four principles - Boundaries,
Security, Consumer Control and Accountability - must be carefully weighed
against the fifth principle, Public Responsibility.
Public
Responsibility
Just like our free speech rights, privacy rights can
never be absolute. We have other critical - yet often competing - interests and
goals. We must balance our protections of privacy with our public responsibility
to support national priorities - public health and safety, research, quality
care, and our fight against health care fraud and abuse and other unlawful
activities.
Our Department is acutely aware of the need to use personal
health information for each of these national priorities. For example,
researchers have used health records to help us fight childhood leukemia and
uncover the link between DES and reproductive cancers. Public health agencies
use health records to warn us of outbreaks of emerging infectious diseases. HHS
auditors use health records to uncover kickbacks, overpayments and other
fraudulent activity. In addition, our efforts to improve quality in our health
care system depend on our ability to review health information to determine how
well health institutions and health professionals are caring for patients.
For public health and safety, research, quality evaluations, fraud
investigations, and legitimate law enforcement purposes, it's not always
possible, or desirable, to ask for each patient's authorization for access to
the necessary health information. And, in many cases, doing so could create
major obstacles in our efforts. While we must be able to use identifiable
information when necessary for these purposes, we should use information that is
not identifiable as much as possible.
To demonstrate how access must be
balanced against public responsibility, let me outline a few of the areas in
which we recommend that disclosure of health information should be permitted
without patient authorization.
Public Health and Safety
Under
certain circumstances, we recommend permitting health care professionals,
payers, and those receiving information from them to disclose health information
without patient authorization to public health authorities for disease
reporting, adverse event reporting, public health and safety investigation, or
intervention. This is currently how the public health system operates under
existing State and federal laws.
For example, consider the outbreak of
E. coli in hamburger that resulted in the largest recall of meat products in
history. Public health authorities, working with other officials, used
personally identifiable information to identify quickly the source of the
outbreak and thereby prevent thousands of other Americans from being exposed to
a contaminated product.
Research
An important mission for the
Department of Health and Human Services is to fund and conduct health research.
We understand that research is vitally important to our health care and to
progress in medical care. Legislation should not impede this activity.
Today the Federal Policy for Protection of Human Subjects (the Common
Rule) and FDA's Human Subject Protection Regulations protect participants in
research studies that are funded or regulated by the federal government. These
rules help protect the research subjects while not impeding the conduct of
research. To protect patient privacy, we recommend that similar protections
should be extended to all research in which individually identifiable health
information is disclosed without patient authorization, and not just federally
funded or regulated research.
Researchers should determine whether their
research requires the retention of personal identifiers. There are research
studies that can only be conducted if identifiers are retained; for example,
outcomes studies for heart attack victims or the recent study which identified a
correlation between the incidence of Sudden Infant Death Syndrome and the
infant's sleep position. In addition, if, and when, personal identifiers are no
longer needed, the researcher should be required to remove them and provide
assurances that the information will be protected from improper use and
unauthorized additional disclosures.
Under the Common Rule, if personal
identifiers are necessary, an IRB (Institutional Review Board) must review the
research proposal and determine whether informed consent is required or may be
waived. In order for informed consent to be waived, an IRB must determine that
the research involves no more than minimal risk to participants, that the
absence of informed consent will not adversely affect the rights and welfare of
participants, that conducting the research would be impracticable if consent
were required, and that whenever appropriate, the participants will be provided
with additional pertinent information after participation. This kind of IRB,
privacy board, or a similar mechanism of review should be applicable for all
research using individually identifiable health information without a patient
authorization, regardless of funding source.
Because the Common Rule was
designed for protection of human subjects in general, not specifically with
privacy protection in mind, our Recommendations included additional criteria for
release of information without the subject's consent. We included those criteria
in our proposed rule. We believe that, before an IRB or privacy board can
approve disclosure of health information without the subject's consent, it
should determine that: the research would be impracticable to conduct without
the identifiable health information; the research project is of sufficient
importance to outweigh the privacy intrusion that would result from the
disclosure; there is an adequate plan to protect the identifiers from improper
use and disclosure; and there is an adequate plan to destroy the identifiers at
the earliest opportunity, unless there is a health or research justification for
retaining identifiers. We have included these additional criteria in the
proposed privacy regulation.
PREEMPTION
Our recommendations call
for national standards. But, we do not recommend outright or overall federal
preemption of existing State laws that are more protective of health
information.
Some protections that we recommend will be stronger than
some existing State laws. Therefore, we recommend that Federal legislation
replace State law only when the State law is less protective than the Federal
law. Thus, the confidentiality protections provided would be cumulative and the
Federal legislation would provide every American with a basic set of rights with
respect to health information.
This is consistent with the broader
approach taken to preemption in the HIPAA statute, both in the insurance reform
provisions and the administrative simplification and privacy provisions. For the
most part, State laws that go further than the federal law are preserved. We
recognize that there are some concerns with this approach.
In
fact, some of these concerns are recognized in the privacy provisions of the
HIPAA statute, which create carve outs from preemptions for state laws governing
certain public health functions as well as other specific activities such as
fraud and abuse. At the same time, we believe that, if a federal law is
sufficiently strong, states will not need to enact additional privacy
legislation.
HHS PROPOSED PRIVACY STANDARDS
Process and Status
To assist us in developing the proposed rule, we assembled an
interagency team including representatives from all parts of HHS, as well as the
Departments of Labor, Defense, Commerce, and Justice, the Social Security
Administration, the Department of Veterans Affairs, the Office of Personnel
Management, and the Office of Management and Budget. We published the proposed
rule on November 3 of 1999; the period for public comment closes, today,
February 17, 2000 and we will call upon the same broad team to review and
respond to the public comments.
We have also continued the consultations
with outside groups that we began in preparing the Recommendations. Since the
proposed rule was published, we have meet with over _____, and many of these
were coalitions representing still more interested parties. We have learned a
great deal from these consultations, and will continue fact-finding outreach as
necessary based on our review of the public comments.
As of February 15,
we had received over 30,000 comments by mail or hand delivered, and roughly
10,000 electronically via the web. Once we have logged in all the comments, we
will make them available to the public on our web site. Although we have not set
a target date for the final rule, largely because we do not know how many
comments we will receive, we intend to continue to make this regulation a top
priority and publish a final rule as soon as possible, consistent with our
responsibility to take the public comments into account.
The proposed
rule is based on the five key principles outlined above, from the Secretary's
recommendations: Boundaries, Security, Consumer Control, Accountability, and
Public Responsibility. To the extent possible under the HIPAA statutory
authority, it implements these principles as discussed in detail in the
Recommendations.
Because the proposed rule is widely available, we will
not repeat it here. Rather, we will highlight a few areas in which we are unable
to implement our Recommendation in full due to limitations in the Statutory
authority provided under the HIPAA. A summary of the proposed rule is attached,
and is available at our web site.
WHY THE REGULATION DOES NOT PROVIDE
COMPLETE PROTECTION
Coverage
The Recommendations call for
legislation that applies to health care providers and payers who obtain
identifiable health information from individuals and, significantly, to those
who receive such information from providers and payers. The Recommendations
follow health information from initial creation by a health plan or health care
provider, through various uses and disclosures, and would establish protections
at each step: "We recommend that everyone in this chain of information handling
be covered by the same rules."
However, the HIPAA limits the application
of our proposed rule to health plans, health care clearinghouses, and to any
health care provider who transmits health information in electronic form in
connection with transactions referred to in section 1173(a)(1) of the Act (the
"covered entities"). Unfortunately, this leaves many entities that receive, use
and disclose protected health information outside of the system of protection
that we propose to create.
In particular, the statute does not directly
cover many of the persons who obtain identifiable health information from the
covered entities. In the rule we are, therefore, faced with creating new
regulatory permissions for covered entities to disclose health information, but
cannot directly put in place appropriate restrictions on how many of the likely
recipients of such information may use and re-disclose such information. For
example, the Secretary's Recommendations proposed that protected health
information obtained by researchers not be further disclosed except for
emergency circumstances, for a research project that meets certain conditions,
and for oversight of research. In the rule, however, we cannot impose such
restrictions directly on researchers; instead, we propose that plans and
providers obtain proof of IRB or privacy board approval of the research
protocol. Additional examples of persons who receive health information but whom
we cannot reach with the regulation include employers, workers compensation and
life insurance issuers, and law enforcement officers. We also do not have the
authority to directly regulate many of the persons that covered entities hire to
perform administrative, legal, accounting, and similar services on their behalf,
and who would obtain health information in order to perform their duties. This
inability to directly address the information practices of these groups leaves
an important gap in the protections provided by the proposed rule.
In
addition, only those providers who engage in the electronic administrative
simplification transactions can be covered by this rule. Any provider who
maintains a solely paper information system would not be subject to these
privacy standards, thus leaving another gap in the system of protection we
propose to create.
The need to match a regulation limited to a narrow
range of covered entities with the reality of information sharing among a wide
range of entities led us to consider severe limits on the type or scope of the
disclosures that would be permitted under the proposed regulation. The
disclosures we propose to allow, however, are necessary for smooth operation of
the health care system and for promoting key public goals such as research,
public health, and law enforcement. We decided that, on balance, such severe
limits on disclosures could do more harm than good. The only appropriate way to
fill this gap in protection is with legislation that regulates not just the
disclosing plans and providers, but also those receiving health information from
plans and providers.
Enforcement
Requirements to protect
individually identifiable health information must be supported by real and
significant penalties for violations. We recommend federal legislation that
would include punishment for those who misuse personal health information and
redress for people who are harmed by its misuse. We believe there should be
criminal penalties (including fines and imprisonment) for obtaining health
information under false pretenses, and for knowingly disclosing or using
protected health information in violation of the federal privacy law. We also
believe that there should be civil monetary penalties for other violations of
the law, and that any individual whose rights under the law have been violated
should be permitted to bring an action for actual damages and equitable relief.
Only if we put the force of law behind our rhetoric can we expect people to have
confidence that their health information is protected, and ensure that those
holding health information will take their responsibilities seriously.
In HIPAA, Congress did not provide sufficient enforcement authority.
There is no private right of action for individuals to enforce their rights. In
addition, we are concerned that the penalty structure does not reflect the
importance of these privacy protections and the need to maintain public trust in
the system.
For these and other reasons, we continue to call for federal
legislation to ensure that privacy protection for health information will be
strong and comprehensive.
CONCLUSION
Mr. Chairman, the five
principles embodied in our recommendations and proposed regulation - Boundaries,
Security, Consumer Control, Accountability, and Public Responsibility - should
guide a law that will create comprehensive federal standards and provide our
citizens with real peace of mind.
The principles represent a practical,
comprehensive and balanced strategy to protect health care information that is
collected, shared, and used in an increasingly complex world.
In
addition to creating new federal standards, we must ensure that every single
person who comes in contact with health care information understands why it is
important to keep the information safe, how it can be kept safe, and what will
be the consequences for failing to keep it safe. Most of all, we must help
consumers understand not just their privacy rights, but also their
responsibilities to ask questions and demand answers - to become active
participants in their health care.
Mr. Chairman, we in the Department
and the Administration are eager to work with you to enact strong national
medical privacy legislation.
Thank you again, for giving me this
opportunity to testify. I look forward to answering any questions that you may
have.
ENDNOTES:
1. "Confidentiality of Individually-Identifiable
Health Information, Recommendations of the Secretary of Health and Human
Services, pursuant to section 264 of the Health Insurance Portability and
Accountability Act of 1996" can be found on the HHS web site at:
<http://aspe.os.dhhs.gov/admnsimp/>.
2. The notice of proposed
rule making for Security and Electronic Signature Standards, covering security
safeguards for electronic information, was published on August 12, 1998.
****************
Proposed Standards for Privacy of Individually
Identifiable Health Information Statutory Requirement
Section 264 of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law
104-191, enacted August 21, 1996, requires that, if legislation establishing
privacy standards is not enacted "by the date that is 36 months after the date
of the enactment of this Act, the Secretary of Health and Human Services shall
promulgate final regulations containing such standards not later than the date
that is 42 months after the date of the enactment of this Act."
The
statutory deadline for Congress to enact legislation was August 21, 1999. Absent
legislation, HHS has developed its proposed rule.
Overview
The
proposed rule would:
- allow health information to be used and shared
easily for the treatment and for payment of health care;
- allow health
information to be disclosed without an individual's authorization for certain
national priority purposes (such as research, public health and oversight), but
only under defined circumstances;
- require written authorization for
use and disclosure of health information for other purposes, and
-
create a set of fair information practices to inform people of how their
information is used and disclosed, ensure that they have access to information
about them, and require health plans and providers to maintain administrative
and physical safeguards to protect the confidentiality of health information and
protect against unauthorized access.
Scope
a. Entities covered
by the proposed rule
- Health care providers who transmit health
information electronically
- Health plans
- Health care
clearinghouses
b. Health information covered by the proposed rule
("Protected health information")
- Protection would start when
information becomes electronic, and would stay with the information as long as
the information is in the hands of a covered entity.
- Information
becomes electronic either by being sent electronically as one of the specified
Administrative Simplification transactions or by being maintained in a computer
system.
- The paper progeny of electronic information is covered; the
information would not lose its protections simply because it is printed out of
the computer.
- HIPAA protects the information itself, not the record in
which the information appears.
- The information must be "identifiable."
If the information has any components that could be used to identify the
subject, it would be covered.
General rules
We propose that
covered entities be prohibited from using or disclosing health information
except: as authorized by the patient, or as explicitly permitted by the
regulation. The regulation would permit use and disclosure of health information
without authorization for purposes of health care treatment, payment and
operations, and for specified national policy activities under conditions
tailored for each type of such permitted use or disclosure.
- The amount
of information to be used or disclosed would be restricted to the minimum amount
necessary to accomplish the relevant purpose, taking into consideration
practical and technological limitations.
- There would be exceptions for
situations in which assessment of what is minimally necessary is appropriately
made by someone other than the covered entity (e.g., such as when an individual
authorizes a use or disclosure of information, or when the disclosure is
mandatory under another law).
- We would allow covered entities to rely
on requests by certain public agencies in determining the minimum necessary
information for certain disclosures.
- Under the principle of minimum
necessary use, if an entity consists of several different components, the entity
would be required to create barriers between components so that information is
not used or shared inappropriately.
- To encourage covered entities to
strip identifiers from health information when it is possible to do so, we would
permit a covered entity to use and disclose such de- identified information in
any way, provided that:
- it does not disclose the key or other
mechanism that would enable the information to be re-identified, and
-
it has no reason to believe that such use or disclosure will result in the use
or disclosure of protected health information (e.g., because the recipient has
the means to re-identify the information).
- We would treat the key to
coded identifiers the same as the information to which it pertains. A covered
entity could use or disclose a key only as it could use or disclose the
underlying information.
- We would permit covered entities to disclose
protected health information to persons they hire to perform functions on their
behalf, where such information is needed for that function. These "business
partners" would include contractors such as lawyers, auditors, consultants,
health care clearinghouses, and billing firms, but not members of the covered
entity's workforce.
- Except where the business partner is providing a
treatment consultation or referral, we would require covered entities to enter
into contracts with their business partners and would require the contracts to
include terms to ensure that the protected health information disclosed to a
business partner remains confidential.
Business partners would
not be permitted to use or disclose protected health information in ways that
would not be permitted of the covered entity itself. We use the contract as a
tool for protecting information, because the HIPAA does not provide legislative
authority for the rule to reach many such business partners directly.
-
The uses and disclosures permitted by this rule would be exactly that --
permitted, not required. For disclosures not compelled by other law, providers
and payers would be free to disclose or not, according to their own policies and
principles. At the same time, nothing in this rule would provide authority for a
covered entity to refuse to make a disclosure mandated by other law.
-
Only two disclosures would be required by this proposed rule: disclosure to the
subject individual pursuant to the individual's request to inspect and copy
health information about him or her, and certain disclosures for the purposes of
enforcing the rule.
- Health information covered by the proposed rule
generally would remain protected for two years after the death of the subject of
the information, subject to certain exceptions.
Disclosures without
authorization for health care treatment, payment, and operations
-
Covered entities could use and disclose protected health information without
authorization for treatment, payment and health care operations. This would
include purposes such as quality assurance, utilization review, credentialing,
and other activities that are part of ensuring appropriate treatment and
payment.
- Individuals generally could ask a covered entity to restrict
further use and disclosure of protected health information for treatment,
payment, or health care operations, with the exception of uses or disclosures
required by law. The covered entity would not be required to agree to such a
request, but if the covered entity and the individual agree to a restriction,
the covered entity would be bound by the agreement.
Uses and disclosures
with individual authorization
- Covered entities could use or disclose
protected health information with the individual's authorization for almost any
lawful purpose.
- We would prohibit covered entities from conditioning
treatment or payment on the individual agreeing to disclose information for
other purposes, and require the authorization form to state this prohibition.
- While the provisions of this proposed rule are intended to make
authorizations for treatment and payment purposes unnecessary, some States may
continue to require them. Generally, this rule would not supersede such State
requirements. However:
- the rule would impose a new requirement that
such State-mandated authorizations must be physically separate from an
authorization for other purposes described in this rule.
- the
authorization would have to meet the rule's requirements for the content of such
authorizations (although a state law could require that an authorization contain
additional provisions).
- We would require authorizations to specify the
information to be disclosed, who would get the information, and when the
authorization would expire. If an authorization is sought so that a covered
entity may sell or barter the information, the covered entity would have to
disclose this fact on the authorization form.
- Use or disclosure of
information by the covered entity inconsistent with the authorization would be
unlawful.
- Individuals could revoke an authorization.
Permissible uses and disclosures for purposes other than treatment,
payment and operations
- Covered entities could use and disclose
protected health information without individual authorization for the following
national priority activities:
- Oversight of the health care system,
including quality assurance activities;
- Public health, and in
emergencies affecting life or safety;
- Research;
- Judicial and
administrative proceedings;
- Law enforcement;
- To provide
information to next-of-kin;
- For identification of the body of a
deceased person, or the cause of death; - For government health data systems;
- For facilities' (hospitals, etc.) directories;
- To financial
institutions, for processing payments for health care; and
- In other
situations where the use or disclosure is mandated by other law, consistent with
the requirements of the other law.
- Specific conditions would have to
be met in order for the use or disclosure of protected health information to be
permitted. These conditions are tailored to the need for each specific category
listed above and to the types of organizations involved in such activities.
Individual rights
The proposed rule would provide several basic
rights for individuals with respect to protected health information about them.
Individuals would have:
- The right to receive a written notice of
information practices from health plans and providers. The notice must describe
the types of uses and disclosures that the plan or provider would make with
health information (not just those uses and disclosures that could lawfully be
made). When plans and providers change their information practices, they would
also have to update the notice. Plans and providers would be required to follow
the information practices specified in their most current notice.
- The
right to obtain access to protected health information about them, including a
right to inspect and obtain a copy of the information.
- The right to
request amendment or correction of protected health information that is
inaccurate or incomplete.
- The right to receive an accounting of the
instances where protected health information about them has been disclosed by a
covered entity for purposes other than treatment, payment, or health care
operations (subject to certain time-limited exceptions for disclosures to law
enforcement and oversight agencies).
Administrative requirements and
policy development and documentation
This proposed rule would require
providers and payers to develop and implement basic administrative procedures to
protect health information and the rights of individuals with respect to that
information.
- Covered entities would be required to maintain
documentation of their policies and procedures for complying with the
requirements of the proposed rule. The documentation must include a statement of
the entity's practices regarding who would have access to protected health
information, how that information would be used within the entity, and when that
information would or would not be disclosed to other entities.
-
Covered entities would be required to have in place administrative systems,
appropriate to the nature and scope of their business, that enable them to
protect health information in accordance with this rule. Specifically, covered
entities would be required to:
- designate a privacy official;
-
provide privacy training to members of its workforce;
- implement
safeguards to protect health information from intentional or accidental misuse;
- provide a means for individuals to lodge complaints about the entity's
information practices, and maintain a record of any complaints; and
-
develop a system of sanctions for members of the workforce and business partners
who violate the entity's policies.
Scalability
We propose
privacy standards that covered entities must meet, but leave the detailed
policies and procedures for meeting these standards to the discretion of each
covered entity.
- We intend that implementation of these standards be
flexible and scalable, to account for nature of each covered entity's business,
and the covered entity's size and resources. We would require that each covered
entity assess its own needs and implement privacy policies appropriate to its
information practices and business requirements.
- The preamble to the
proposed rule will include examples of how implementation of these standards are
scalable.
Preemption
Pursuant to HIPAA, this rule will preempt
state laws that are in conflict with the regulatory requirements and that
provide less stringent privacy protections, with specified exceptions for
certain public health functions and related activities.
Enforcement
- Under HIPAA, the Secretary is granted the authority to impose civil
monetary penalties against those covered entities which fail to comply with the
requirements of this regulation.
- HIPAA also established criminal
penalties for certain wrongful disclosures of protected health information.
These penalties are graduated, increasing if the offense is committed under
false pretenses, or with intent to sell the information or reap other personal
gain.
- Civil monetary penalties are capped at $25,000
for each calendar year for each standard that is violated.
What this
proposed rule does not do
- The HIPAA limits the application of our
proposed rule to the covered entities. It does not provide the authority for the
rule to reach many entities that receive health information from these covered
entities, so the rule cannot put in place appropriate restrictions on how such
recipients of protected health information may use and re- disclose such
information.
- Any provider who maintains a solely paper information
system cannot be subject to these privacy standards.
- There is no
statutory authority for a private right of action for individuals to enforce
their privacy rights.
END
LOAD-DATE:
February 24, 2000 
