NOTE: On August 14, 2002, HHS issued modifications to the final Privacy regulation. This overview has been revised to reflect those changes.

Under HIPAA, Congress instructed the Department of Health and Human Services (HHS) to adopt standards for the electronic transmission of healthcare transactions. By encouraging the electronic exchange of health information, Congress recognized that they were also creating the potential to put the confidentiality of sensitive health data in jeopardy. Therefore, HIPAA also mandated the development of Privacy standards. When Congress was unable to meet a self-imposed deadline to enact privacy legislation, the task of promulgating Privacy standards by regulation fell to HHS.

Traditionally, the privacy of healthcare information has been within the purview of the states. The HIPAA regulation creates a new federal floor of protections to enhance confidentiality and ensure the ability of individuals to access their personal information. States remain able to enact more stringent laws that provide greater protections or enable greater access by the subject of the information.

HHS issued the final privacy regulation on December 2000. Modifications to the final rule were issued August 14, 2002. Compliance by covered entities is required by April 14, 2003.

Application of the Privacy Standards

Like all of the HIPAA regulations, the Privacy standards apply to:

• Health plans;
• Healthcare clearinghouses;
• Healthcare providers who transmit designated transactions in electronic form (or who use another entity to transmit transactions electronically on their behalf).

Although it is the electronic transmission of health information that determines application of the regulations to healthcare providers, once this threshold is met, the standards apply to all "protected health information" (PHI).

PHI is defined as individually identifiable health information transmitted or maintained in any form, including verbally and on paper. This is a major change from the proposed rules that called for information to be covered only if it was maintained or transmitted in electronic form.

Privacy Requirements

The basic privacy rule under HIPAA is that PHI may not be used or disclosed without the patient's permission (or the permission of someone authorized to act on the patient's behalf) unless the use or disclosure is specifically required or permitted by the regulations.

Required Disclosures

Only two types of disclosure are required by HIPAA:

• To a person who is the subject of the PHI, and
• To the Secretary of HHS to investigate compliance with the regulations.

State laws may require disclosure for other purposes. The HIPAA regulation allows disclosure to comply with these laws.

Permitted Disclosures

A primary goal of the HIPAA Privacy regulation is to give patients some control over how their PHI is used and disclosed. The regulation accomplishes this by creating different categories of uses and disclosures. Some of these categories do not require patient permission at all; others specify a specific type of permission required.

Treatment, Payment and Healthcare Operations: The original Privacy regulation required providers to obtain written patient consent to use or disclose PHI for routine healthcare purposes. In a significant change, the August 2002 modifications eliminated the requirement of obtaining patient consent to use or disclose PHI for treatment, payment, and healthcare operations. The regulation does not prohibit providers from obtaining patient consent; consent for these purposes is now optional.

In order to ensure that patients are still informed about their privacy rights, however, HHS substituted for patient consent a requirement that providers make a good faith effort to obtain patients' written acknowledgment of receipt of the providers' Notice of Privacy Practices (discussed below).

Treatment, payment and healthcare operations are broadly defined under the Privacy regulation. Treatment is "the provision, coordination, or management of health care and related services by one or more providers" and specifically includes consultations and referrals. Payment encompasses all activities necessary to obtain reimbursement for the provision of health care, such as eligibility determinations, billing and collection efforts. Healthcare operations for which PHI may be used and disclosed without patient consent include:

• Conducting quality assessment and improvement activities;
• Reviewing the competence or qualifications of healthcare professionals;
• Conducting or arranging for legal services and auditing functions;
• Performing business planning and development activities;
• Performing business management and general administrative activities.

Healthcare operations may be conducted by Business Associates if the provider obtains "satisfactory assurance" -- a contract -- that the Business Associates will appropriately safeguard any PHI disclosed to them.
  

Public policy: The HIPAA Privacy regulation permits use or disclosure of PHI without patient permission for specified public policy purposes including:

• Disclosures required by law
• Defined public health activities
• Abuse, neglect, or domestic violence reporting
• Defined health oversight activities
• Judicial and administrative proceedings
• Law enforcement
• Use by coroners, medical examiners, and funeral directors
• Organ donation
• Limited research
• Use to avert a serious threat to health or safety
• Specialized government functions
• Workers' compensation

Use and disclosure of PHI for each of these public policy purposes is closely circumscribed by the regulation. Providers must review the rules carefully to determine their application in any given situation.

Opportunity to agree or object: In a few situations, providers may use or disclose PHI with a patient's verbal permission, provided the patient is informed in advance of the use or disclosure and is given the opportunity to agree or object. These situations include disclosures for facility directories and disclosures to persons involved in the care of the patient or payment for treatment.

Authorization: When PHI is to be used or disclosed for purposes not otherwise permitted by the regulations (e.g., release to an attorney, marketing, sale to a drug manufacturer), a detailed, written patient Authorization is required. Specific Authorization is also required for disclosure of psychotherapy notes. The regulation outlines very specific elements that must be included in Authorization forms.

Minimum Necessary

Even when the use or disclosure of PHI is appropriate, providers generally must use reasonable efforts to limit the use or disclosure to the minimum amount of information necessary to accomplish the intended purpose. This requirement does not apply to the use or disclosure of PHI:

• Made to the patient;
• For treatment purposes;
• Pursuant to an appropriate authorization;
• Required by law;
• Requested by HHS for enforcement of the regulation.

Patient Rights

The HIPAA Privacy regulation grants patients significant new federal rights to be informed about, and control how, their PHI is used and disclosed. These rights include:

• Right to Notice of Privacy Practices - Patients are entitled to receive written notice of their provider's privacy policies. This notice must be in plain language and include details about how PHI may be used, the provider's duty to protect PHI, the patient's rights with respect to PHI, and how patients may file complaints if they believe their privacy rights have been violated.
  
  Providers must make a good faith effort to obtain written patient acknowledgment of receipt of the Notice of Privacy Practices. The regulation is silent about how this acknowledgment should be structured; providers may develop the best method to suit their individual practices.
     
• Right to request restrictions on uses and disclosure of PHI - Patients may ask for restrictions on the use of their PHI. Providers are not required to agree to these requests. However, if they do agree, they must abide by the restrictions.
    
• Right to access health information - With some exceptions, patients have the right to access, inspect, and copy their health information.
     
• Right to request amendment of PHI - Patients must be permitted to request that their PHI be amended. Providers may deny a request if they believe the PHI is accurate and complete or if they did not create the information.
   
• Right to request an accounting of disclosures of PHI - HIPAA grants patients the right to receive an accounting of disclosures of their PHI made in the six years prior to the date of their request. Accountings may exclude disclosures for treatment, payment, healthcare operations, facility directories, and some national security and law enforcement purposes.

Administrative Requirements

The HIPAA Privacy regulation creates a number of administrative requirements for healthcare providers. These include:

• Designating a privacy official responsible for developing and implementing documented privacy policies and procedures;
• Designating a contact person to receive complaints about the organization's privacy practices;
• Training all members of the work force on privacy policies and procedures;
• Instituting administrative, technical, and physical safeguards to protect against use or disclosure of PHI in violation of the regulations;
• Applying appropriate sanctions for failure to comply with privacy policies or regulations.

Impact

Confidentiality of patient information is a fundamental concept in healthcare and most providers already have informal privacy protections in place. The HIPAA Privacy regulation goes a step further, though, and requires documented policies and procedures and new administrative safeguards. Virtually all providers will need to upgrade their protections for PHI.

HIPAA Privacy readiness should not require excessive expenditures or extreme policies. In response to the concerns of providers, HHS has clarified that they will be looking for reasonable implementation efforts, scaled to the size and capabilities of each provider.

Revised: March 2004