This is an archive page. The links are no longer being updated.

Testimony on Confidentiality of Patient Records by Margaret A. Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
U.S. Department of Health and Human Services

Before the House Committee on Ways and Means, Subcommittee on Health
February 17, 2000

Mr. Chairman, Congressman Stark, distinguished members of the Committee: I appreciate the opportunity to appear before you to discuss the need for federal legislation to ensure comprehensive privacy safeguards for health information. This issue is a top priority for the Department and the Administration, and although the regulation that we recently proposed serves as a foundation for providing strong privacy protections for consumers' health information, we continue to believe that legislation is ultimately necessary if we are to appropriately protect the privacy of health information of all Americans.

As the outset, I want to commend the members of this Subcommittee Mr. Thomas, Mr. Stark, and Mr. McDermott, as well as Mr. Cardin, for their interest in health care privacy and efforts to develop this important and complex legislation. In addition, we are encouraged by the recent appointment of two congressional task forces to address privacy issues. The "Congressional Privacy Caucus" has the potential to generate the momentum needed to enact legislation this year.

As you may remember, Secretary Shalala first presented her recommendations, required by the Congress under Section 264 of the Heath Insurance Portability and Accountability Act (HIPAA), in September 1997.¹ I think it is fair to say that the recommendations were well received and have been used to assist others in crafting their own legislative proposals.

HIPAA also requires that if legislation establishing comprehensive privacy protection was not enacted by August of last year, HHS must prepare final regulations. We assembled an interagency team to assist us in preparing the proposed regulation, including representatives from the Departments of Labor, Defense, Justice, Commerce, the Social Security Administration, the Office of Personnel Management, the Department of Veterans Affairs, and the Office of Management and Budget. We published the proposed rule on November 3 of 1999; the period for public comment closes today, February 17, 2000, and we will call upon a similarly broad team to review and respond to the public comments.

We explained the basis for our proposals in detail in the preamble to the proposed rule and asked for comments on over 150 specific issues. We are committed to reviewing all the public comments. Nothing in our proposed rule is set in stone. We are committed to achieving the proper balance between ensuring patient privacy and the needs of the health care system to function properly and continue advances in medical treatment. Our commitment to 'getting it right' led us to extend the comment period from January 3 to February 17, so the public and stakeholders would have adequate time to consider the proposed rule, comment, and suggest alternative proposals.

Since we have just begun to review the comments, I will not speculate on or debate the contents of the final rule today. I can tell you that, as of yesterday, we had received over 30,000 comments by mail or hand delivery, and another 10,000 on our web site. Further, we met with dozens of individuals and organizations to hear more about their concerns and clarify provision of the proposed rule.

While we are moving ahead to prepare the final regulation, the President and Secretary Shalala have made it very clear that their first priority is to see Congress enact a health information privacy bill that builds upon the progress made by our proposed regulation and ensures comprehensive privacy protections. We believe our rule will be a very good start in providing confidentiality protections, but legislation is needed to complete this important task and provide the protections envisioned in the Secretary's recommendations. Our staff have been working closely with many of your staff, and staff in the Senate, to assist you in achieving that goal. Again, let me reiterate, we want to see legislation, and we want to work with you to make that happen.

The issue of health information privacy is quite complex ­ in order to resolve it legislatively, some difficult choices will have to be made. We believe that our recommendations strike the appropriate balance between the privacy needs of our citizens and the critical needs of our health care system and our nation. This is an issue that touches every single American, and to reach resolution we will need a bipartisan effort.

THE NEED FOR LEGISLATION

It has been over 25 years since a public advisory committee appointed by former HEW Secretary Elliot Richardson set forth principles of fair information practices that led to the landmark Federal Privacy Act. The Privacy Act is premised on the idea that individuals have a right to know what personal information the government holds about them, how that information will be used, and the right to review that information. Those 25 years have brought vast changes in our health care system.

Changes in our health care delivery system mean that we must place our trust in entire networks of insurers and health care professionals ­ both public and private. The computer and telecommunications revolutions mean that information no longer exists in one place ­ it can travel in real time to many hospitals, physicians, insurers, and across state lines.

In addition, new discoveries in biology mean that a whole new world of medical tests have the potential to help prevent disease. However, they also reveal the most personal health information about an individual and his or her family. Without safeguards to assure citizens that getting tested will not endanger their families' privacy or health insurance, we could endanger one of the most promising areas of research our nation has ever seen.

Health care privacy can be safeguarded. It must be done with national legislation, national education, and an on-going national conversation.

Currently, when we give a physician or health insurance company precious health information, the level of protection will vary widely from state to state. We have no comprehensive federal health information privacy standards. Because the practice of health care is increasingly becoming interstate through mergers, complex contractual relationships and enhanced telecommunications, we can no longer rely on the existing patchwork of state laws. The patchwork does not provide Americans the privacy protections they need or expect. The Congress should seize upon this opportunity to create strong federal standards and reassure the public that they can trust their health care providers and insurers to keep their health information secure.

In developing our recommendations for federal legislation, we learned a great deal through consultations with a variety of outside groups and from six days of public hearings conducted by the National Committee on Vital and Health Statistics, our statutory federal advisory committee for health data and privacy policy. The hearings involved over 40 witnesses from across the health community, including health care professionals, plans, insurance companies, the privacy community, and the public health and research communities.

We believe our recommendations provide a balanced framework for legislation that can protect the privacy of medical records, guarantee consumers the right to inspect their records, and punish unauthorized disclosures of personal health data by hospitals, insurers, health plans, drug companies or others.

THE PRINCIPLES

The Secretary's recommendations for legislation, and our proposed regulation, are grounded in five key principles: Boundaries, Security, Consumer Control, Accountability, and Public Responsibility.

Boundaries

The first is the principle of Boundaries: With very few exceptions, personally identifiable health care information should be disclosed for health purposes and health purposes only. It should be easy to use it for those purposes, and very difficult to use it for other purposes.

For example, employers should be able to use the information furnished by their employees to provide on-site care or to administer a health plan in the best interests of those employees. But those same employers should not be able to use information obtained for health care purposes to discriminate against individuals when making employment decisions ­ such as hiring, firing, training, placements and promotions. To enforce these boundaries, we recommend strong penalties for the inappropriate use or disclosure of medical records.

We recommend that the legislation apply specifically to providers and payers, and to anyone who receives health information from a provider or payer, either with the authorization of the patient or as authorized explicitly by legislation. To the extent allowed under the HIPAA statute, we have taken this approach in our proposed regulation. Our proposed rule would authorize the use and disclosure of personal information by heath plans and providers without the person's consent for specified health care and national priority purposes, and would require fair and informed consent from individuals for all other uses. However, as discussed below, the statute limits our authority to ensure that information that leaves a health plan or provider remains protected.

Our recommendations also recognize that these providers and payers do not act alone. In order for a provider or payer to operate efficiently, it may need to enlist a service organization to perform an administrative or operational function. For example, a hospital may hire an organization to encode and process bills, or a managed care organization may contract with a pharmaceutical benefit management company to provide information to pharmacists about what medications are covered and appropriate for their customers.

The numbers and types of service organizations are increasing every day. While most do not have direct relationships with the patients, they do have access to their personal health care information. Therefore, we recommend that they should be bound by the same standards. For example, a health plan's contractor should be allowed to have access to patient lists in order to do mailings to remind patients to schedule appointments for preventive care. But it should not be able to sell the patient lists to a pharmaceutical company for a direct mailing announcing a new product (without the person's consent). With the Business Partner provisions of our proposed Privacy Standards, we have taken this approach to the extent allowed under the HIPAA statute.

Security

The second principle is Security. Americans need to feel secure that when they give out personal health care information, they are leaving it in good hands. Information should not be used or given out unless either the patient authorizes it or there is a clear legal basis for doing so.

There are many different ways that private information like your blood tests could become public. People who are allowed to see it ­ such as lab technicians ­ can misuse it either carelessly or intentionally. And people who should not be seeing it ­ such as marketers or even hackers ­ can find a way to access it, either because the organization holding the information doesn't have proper safeguards or the marketers can find an easy way around the safeguards. To give Americans the security they expect and deserve, Congress should develop legislation that requires those who legally receive health information to take reasonable steps to safeguard it or face consequences for failure to do so.

What do we mean by reasonable steps? The organizations should be required to have in place protective administrative and management techniques, educate their employees about these procedures, and impose disciplinary sanctions against employees who use information improperly or carelessly.

We addressed some of these steps in our Security Standards regulation, implementing the Administrative Simplification mandate under HIPAA.² That NPRM laid out a range of approaches for safeguarding the information to which the HIPAA mandate applies. In the privacy NPRM we proposed related steps for safeguarding health information, and we will coordinate these requirements in the final Security and Privacy regulations. However, these regulations will not reach all health information held by health plans and providers. We need legislation to cover all health information that needs this kind of protection.

We don't believe a law can specify the details of these protections because each organization must keep pace with the new threats to our privacy and the technology that can either abate or exacerbate them. But a federal law can require everyone who holds health information to have these types of safeguards in place and specify the appropriate sanctions if the information is improperly disclosed. In our regulations, we have proposed such a "scalable" approach, to reflect the differences in the size and nature of the entities that hold health information. The proposed regulations set forth the basic principles and general criteria for securing health information, and leave the specific steps for meeting these principles to each regulated entity. In this way, each entity can take the steps most appropriate to its size, the nature of the information it holds, and its business practices.

Consumer Control

The third principle is Consumer Control. The principles of fair information practice (formulated in 1973 by a committee appointed by Secretary Richardson) included as a basic right: "There must be a way for an individual to find out what information about him is in a record and how it is used."

With very narrow exceptions, consumers should have the right to find out what is contained in their records, find out who has looked at them, and to inspect, copy and, if necessary, correct them. Consumers should be given a clear explanation of these rights and they should understand how organizations will use their information. Let me give you an example of why this is important. According to the Privacy Rights Clearinghouse, a California physician in private practice was having trouble getting health, disability, and life insurance. She ordered a copy of her report from the Medical Information Bureau ­ an information service used by many insurance companies. It included information showing that she had a heart condition and Alzheimer's disease. There was only one problem. None of it was true. Unfortunately, under the current system these types of errors occur all too often. Consumers often do not have access to their own health records and even those who do are not always able to correct some of the most egregious errors.

With that in mind, our Recommendations set forth a set of practices and procedures that would require that insurers and health care providers provide consumers with a written explanation of who has access to their information and how that information will be used, how they can restrict or limit access to it, and what their rights are if their information is disclosed improperly.

We also recommend procedures for patients to inspect and copy their information, and set out the very limited circumstances under which patient inspection should be properly denied.

Finally, we recommend a process for patients to seek corrections or amendments to their health information to resolve situations in which innocent coding errors cause patients to be charged for procedures they never received, or to be on record as having conditions or medical histories that are inaccurate. The proposed privacy standards follow these Recommendations.

Accountability

The fourth principle is Accountability. If you are using information improperly, you should be punished. This flows directly from the second principle of security ­ the requirement to safeguard information must be followed by real and severe penalties for violations. Congress should send the message that protecting the confidentiality of health information is vitally important, and that people who violate that confidence will be held accountable.

We recommend that offenders should be subject to criminal felony penalties if they knowingly obtain or use health care information in violation of the standards outlined in our report. The penalties mandated in privacy legislation should be higher when violations are for monetary gain. In addition, when there is a demonstrated pattern or practice of unauthorized disclosure, those committing it should be subject to civil monetary penalties.

In addition to punishing the perpetrators, we must give redress to the victims. We believe that any individual whose privacy rights have been violated should be permitted to bring a legal action for actual damages and equitable relief. The standard for such actions should not be set so high as to make the right meaningless in practice. Attorney's fees and punitive damages should be available when the violation is particularly egregious. As described more fully below, the HIPAA legislative authority does not allow the regulation to accomplish these goals.

These first four principles ­ Boundaries, Security, Consumer Control and Accountability ­ must be carefully weighed against the fifth principle, Public Responsibility.

Public Responsibility

Just like our free speech rights, privacy rights can never be absolute. We have other critical ­ yet often competing ­ interests and goals. We must balance our protections of privacy with our public responsibility to support national priorities ­ public health and safety, research, quality care, and our fight against health care fraud and abuse and other unlawful activities.

Our Department is acutely aware of the need to use personal health information for each of these national priorities. For example, researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers. Public health agencies use health records to warn us of outbreaks of emerging infectious diseases. HHS auditors use health records to uncover kickbacks, overpayments and other fraudulent activity. In addition, our efforts to improve quality in our health care system depend on our ability to review health information to determine how well health institutions and health professionals are caring for patients.

For public health and safety, research, quality evaluations, fraud investigations, and legitimate law enforcement purposes, it's not always possible, or desirable, to ask for each patient's authorization for access to the necessary health information. And, in many cases, doing so could create major obstacles in our efforts. While we must be able to use identifiable information when necessary for these purposes, we should use information that is not identifiable as much as possible.

To demonstrate how access must be balanced against public responsibility, let me outline a few of the areas in which we recommend that disclosure of health information should be permitted without patient authorization.

Public Health and Safety

Under certain circumstances, we recommend permitting health care professionals, payers, and those receiving information from them to disclose health information without patient authorization to public health authorities for disease reporting, adverse event reporting, public health and safety investigation, or intervention. This is currently how the public health system operates under existing State and federal laws.

For example, consider the outbreak of E. coli in hamburger that resulted in the largest recall of meat products in history. Public health authorities, working with other officials, used personally identifiable information to identify quickly the source of the outbreak and thereby prevent thousands of other Americans from being exposed to a contaminated product.

Research

An important mission for the Department of Health and Human Services is to fund and conduct health research. We understand that research is vitally important to our health care and to progress in medical care. Legislation should not impede this activity.

Today the Federal Policy for Protection of Human Subjects (the Common Rule) and FDA's Human Subject Protection Regulations protect participants in research studies that are funded or regulated by the federal government. These rules help protect the research subjects while not impeding the conduct of research. To protect patient privacy, we recommend that similar protections should be extended to all research in which individually identifiable health information is disclosed without patient authorization, and not just federally funded or regulated research.

Researchers should determine whether their research requires the retention of personal identifiers. There are research studies that can only be conducted if identifiers are retained; for example, outcomes studies for heart attack victims or the recent study which identified a correlation between the incidence of Sudden Infant Death Syndrome and the infant's sleep position. In addition, if, and when, personal identifiers are no longer needed, the researcher should be required to remove them and provide assurances that the information will be protected from improper use and unauthorized additional disclosures.

Under the Common Rule, if personal identifiers are necessary, an IRB (Institutional Review Board) must review the research proposal and determine whether informed consent is required or may be waived. In order for informed consent to be waived, an IRB must determine that the research involves no more than minimal risk to participants, that the absence of informed consent will not adversely affect the rights and welfare of participants, that conducting the research would be impracticable if consent were required, and that whenever appropriate, the participants will be provided with additional pertinent information after participation. This kind of IRB, privacy board, or a similar mechanism of review should be applicable for all research using individually identifiable health information without a patient authorization, regardless of funding source.

Because the Common Rule was designed for protection of human subjects in general, not specifically with privacy protection in mind, our Recommendations included additional criteria for release of information without the subject's consent. We included those criteria in our proposed rule. We believe that, before an IRB or privacy board can approve disclosure of health information without the subject's consent, it should determine that: the research would be impracticable to conduct without the identifiable health information; the research project is of sufficient importance to outweigh the privacy intrusion that would result from the disclosure; there is an adequate plan to protect the identifiers from improper use and disclosure; and there is an adequate plan to destroy the identifiers at the earliest opportunity, unless there is a health or research justification for retaining identifiers. We have included these additional criteria in the proposed privacy regulation.

PREEMPTION

Our recommendations call for national standards. But, we do not recommend outright or overall federal preemption of existing State laws that are more protective of health information.

Some protections that we recommend will be stronger than some existing State laws. Therefore, we recommend that Federal legislation replace State law only when the State law is less protective than the Federal law. Thus, the confidentiality protections provided would be cumulative and the Federal legislation would provide every American with a basic set of rights with respect to health information.

This is consistent with the broader approach taken to preemption in the HIPAA statute, both in the insurance reform provisions and the administrative simplification and privacy provisions. For the most part, State laws that go further than the federal law are preserved. We recognize that there are some concerns with this approach. In fact, some of these concerns are recognized in the privacy provisions of the HIPAA statute, which create carve outs from preemptions for state laws governing certain public health functions as well as other specific activities such as fraud and abuse. At the same time, we believe that, if a federal law is sufficiently strong, states will not need to enact additional privacy legislation.

HHS PROPOSED PRIVACY STANDARDS

Process and Status

To assist us in developing the proposed rule, we assembled an interagency team including representatives from all parts of HHS, as well as the Departments of Labor, Defense, Commerce, and Justice, the Social Security Administration, the Department of Veterans Affairs, the Office of Personnel Management, and the Office of Management and Budget. We published the proposed rule on November 3 of 1999; the period for public comment closes, today, February 17, 2000 and we will call upon the same broad team to review and respond to the public comments.

We have also continued the consultations with outside groups that we began in preparing the Recommendations. Since the proposed rule was published, we have meet with over _____, and many of these were coalitions representing still more interested parties. We have learned a great deal from these consultations, and will continue fact-finding outreach as necessary based on our review of the public comments.

As of February 15, we had received over 30,000 comments by mail or hand delivered, and roughly 10,000 electronically via the web. Once we have logged in all the comments, we will make them available to the public on our web site. Although we have not set a target date for the final rule, largely because we do not know how many comments we will receive, we intend to continue to make this regulation a top priority and publish a final rule as soon as possible, consistent with our responsibility to take the public comments into account.

The proposed rule is based on the five key principles outlined above, from the Secretary's recommendations: Boundaries, Security, Consumer Control, Accountability, and Public Responsibility. To the extent possible under the HIPAA statutory authority, it implements these principles as discussed in detail in the Recommendations.

Because the proposed rule is widely available, we will not repeat it here. Rather, we will highlight a few areas in which we are unable to implement our Recommendation in full due to limitations in the Statutory authority provided under the HIPAA. A summary of the proposed rule is attached, and is available at our web site.

WHY THE REGULATION DOES NOT PROVIDE COMPLETE PROTECTION

Coverage

The Recommendations call for legislation that applies to health care providers and payers who obtain identifiable health information from individuals and, significantly, to those who receive such information from providers and payers. The Recommendations follow health information from initial creation by a health plan or health care provider, through various uses and disclosures, and would establish protections at each step: "We recommend that everyone in this chain of information handling be covered by the same rules."

However, the HIPAA limits the application of our proposed rule to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the "covered entities"). Unfortunately, this leaves many entities that receive, use and disclose protected health information outside of the system of protection that we propose to create.

In particular, the statute does not directly cover many of the persons who obtain identifiable health information from the covered entities. In the rule we are, therefore, faced with creating new regulatory permissions for covered entities to disclose health information, but cannot directly put in place appropriate restrictions on how many of the likely recipients of such information may use and re-disclose such information. For example, the Secretary's Recommendations proposed that protected health information obtained by researchers not be further disclosed except for emergency circumstances, for a research project that meets certain conditions, and for oversight of research. In the rule, however, we cannot impose such restrictions directly on researchers; instead, we propose that plans and providers obtain proof of IRB or privacy board approval of the research protocol. Additional examples of persons who receive health information but whom we cannot reach with the regulation include employers, workers compensation and life insurance issuers, and law enforcement officers. We also do not have the authority to directly regulate many of the persons that covered entities hire to perform administrative, legal, accounting, and similar services on their behalf, and who would obtain health information in order to perform their duties. This inability to directly address the information practices of these groups leaves an important gap in the protections provided by the proposed rule.

In addition, only those providers who engage in the electronic administrative simplification transactions can be covered by this rule. Any provider who maintains a solely paper information system would not be subject to these privacy standards, thus leaving another gap in the system of protection we propose to create.

The need to match a regulation limited to a narrow range of covered entities with the reality of information sharing among a wide range of entities led us to consider severe limits on the type or scope of the disclosures that would be permitted under the proposed regulation. The disclosures we propose to allow, however, are necessary for smooth operation of the health care system and for promoting key public goals such as research, public health, and law enforcement. We decided that, on balance, such severe limits on disclosures could do more harm than good. The only appropriate way to fill this gap in protection is with legislation that regulates not just the disclosing plans and providers, but also those receiving health information from plans and providers.

Enforcement

Requirements to protect individually identifiable health information must be supported by real and significant penalties for violations. We recommend federal legislation that would include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. We believe there should be criminal penalties (including fines and imprisonment) for obtaining health information under false pretenses, and for knowingly disclosing or using protected health information in violation of the federal privacy law. We also believe that there should be civil monetary penalties for other violations of the law, and that any individual whose rights under the law have been violated should be permitted to bring an action for actual damages and equitable relief. Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously.

In HIPAA, Congress did not provide sufficient enforcement authority. There is no private right of action for individuals to enforce their rights. In addition, we are concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain public trust in the system.

For these and other reasons, we continue to call for federal legislation to ensure that privacy protection for health information will be strong and comprehensive.

CONCLUSION

Mr. Chairman, the five principles embodied in our recommendations and proposed regulation ­ Boundaries, Security, Consumer Control, Accountability, and Public Responsibility ­ should guide a law that will create comprehensive federal standards and provide our citizens with real peace of mind.

The principles represent a practical, comprehensive and balanced strategy to protect health care information that is collected, shared, and used in an increasingly complex world.

Mr. Chairman, we in the Department and the Administration are eager to work with you to enact strong national medical privacy legislation.

Thank you again, for giving me this opportunity to testify. I look forward to answering any questions that you may have.

Proposed Standards for Privacy of Individually Identifiable Health Information

Statutory Requirement

Section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, enacted August 21, 1996, requires that, if legislation establishing privacy standards is not enacted "by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act."

The statutory deadline for Congress to enact legislation was August 21, 1999. Absent legislation, HHS has developed its proposed rule.

Overview

The proposed rule would:

• allow health information to be used and shared easily for the treatment and for payment of health care;
• allow health information to be disclosed without an individual's authorization for certain national priority purposes (such as research, public health and oversight), but only under defined circumstances;
• require written authorization for use and disclosure of health information for other purposes, and
• create a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, and require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access.

Scope

1. Entities covered by the proposed rule
   • Health care providers who transmit health information electronically
   • Health plans
   • Health care clearinghouses
2. Health information covered by the proposed rule ("Protected health information")
   • Protection would start when information becomes electronic, and would stay with the information as long as the information is in the hands of a covered entity.
   • Information becomes electronic either by being sent electronically as one of the specified Administrative Simplification transactions or by being maintained in a computer system.
   • The paper progeny of electronic information is covered; the information would not lose its protections simply because it is printed out of the computer.
   • HIPAA protects the information itself, not the record in which the information appears.
   • The information must be "identifiable." If the information has any components that could be used to identify the subject, it would be covered.

General rules

We propose that covered entities be prohibited from using or disclosing health information except: as authorized by the patient, or as explicitly permitted by the regulation. The regulation would permit use and disclosure of health information without authorization for purposes of health care treatment, payment and operations, and for specified national policy activities under conditions tailored for each type of such permitted use or disclosure.

• The amount of information to be used or disclosed would be restricted to the minimum amount necessary to accomplish the relevant purpose, taking into consideration practical and technological limitations.
  
  
  • There would be exceptions for situations in which assessment of what is minimally necessary is appropriately made by someone other than the covered entity (e.g., such as when an individual authorizes a use or disclosure of information, or when the disclosure is mandatory under another law).
    
    
  • We would allow covered entities to rely on requests by certain public agencies in determining the minimum necessary information for certain disclosures.
    
    
  • Under the principle of minimum necessary use, if an entity consists of several different components, the entity would be required to create barriers between components so that information is not used or shared inappropriately.
  
  
  
• To encourage covered entities to strip identifiers from health information when it is possible to do so, we would permit a covered entity to use and disclose such de-identified information in any way, provided that:
  
  
  • it does not disclose the key or other mechanism that would enable the information to be re-identified, and
    
    
  • it has no reason to believe that such use or disclosure will result in the use or disclosure of protected health information (e.g., because the recipient has the means to re-identify the information).
  
  
  
• We would treat the key to coded identifiers the same as the information to which it pertains. A covered entity could use or disclose a key only as it could use or disclose the underlying information.
  
  
• We would permit covered entities to disclose protected health information to persons they hire to perform functions on their behalf, where such information is needed for that function. These "business partners" would include contractors such as lawyers, auditors, consultants, health care clearinghouses, and billing firms, but not members of the covered entity's workforce.
  
  
• Except where the business partner is providing a treatment consultation or referral, we would require covered entities to enter into contracts with their business partners and would require the contracts to include terms to ensure that the protected health information disclosed to a business partner remains confidential. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted of the covered entity itself. We use the contract as a tool for protecting information, because the HIPAA does not provide legislative authority for the rule to reach many such business partners directly.
  
  
• The uses and disclosures permitted by this rule would be exactly that -- permitted, not required. For disclosures not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and principles. At the same time, nothing in this rule would provide authority for a covered entity to refuse to make a disclosure mandated by other law.
  
  
• Only two disclosures would be required by this proposed rule: disclosure to the subject individual pursuant to the individual's request to inspect and copy health information about him or her, and certain disclosures for the purposes of enforcing the rule.
  
  
• Health information covered by the proposed rule generally would remain protected for two years after the death of the subject of the information, subject to certain exceptions.

Disclosures without authorization for health care treatment, payment, and operations

• Covered entities could use and disclose protected health information without authorization for treatment, payment and health care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities that are part of ensuring appropriate treatment and payment.
  
  
• Individuals generally could ask a covered entity to restrict further use and disclosure of protected health information for treatment, payment, or health care operations, with the exception of uses or disclosures required by law. The covered entity would not be required to agree to such a request, but if the covered entity and the individual agree to a restriction, the covered entity would be bound by the agreement.

Uses and disclosures with individual authorization

• Covered entities could use or disclose protected health information with the individual's authorization for almost any lawful purpose.
  
  
• We would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes, and require the authorization form to state this prohibition.
  
  
• While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes unnecessary, some States may continue to require them. Generally, this rule would not supersede such State requirements. However:
  
  
  • the rule would impose a new requirement that such State-mandated authorizations must be physically separate from an authorization for other purposes described in this rule.
    
    
  • the authorization would have to meet the rule's requirements for the content of such authorizations (although a state law could require that an authorization contain additional provisions).
  
  
• We would require authorizations to specify the information to be disclosed, who would get the information, and when the authorization would expire. If an authorization is sought so that a covered entity may sell or barter the information, the covered entity would have to disclose this fact on the authorization form.
  
  
• Use or disclosure of information by the covered entity inconsistent with the authorization would be unlawful.
  
  
• Individuals could revoke an authorization.

Permissible uses and disclosures for purposes other than treatment, payment and operations

• Covered entities could use and disclose protected health information without individual authorization for the following national priority activities:
  
  
  • Oversight of the health care system, including quality assurance activities;
  • Public health, and in emergencies affecting life or safety;
  • Research;
  • Judicial and administrative proceedings; Law enforcement;
  • To provide information to next-of-kin;
  • For identification of the body of a deceased person, or the cause of death;
  • For government health data systems;
  • For facilities' (hospitals, etc.) directories;
  • To financial institutions, for processing payments for health care; and
  • In other situations where the use or disclosure is mandated by other law, consistent with the requirements of the other law.
  
  
• Specific conditions would have to be met in order for the use or disclosure of protected health information to be permitted. These conditions are tailored to the need for each specific category listed above and to the types of organizations involved in such activities.

Individual rights

The proposed rule would provide several basic rights for individuals with respect to protected health information about them. Individuals would have:

• The right to receive a written notice of information practices from health plans and providers. The notice must describe the types of uses and disclosures that the plan or provider would make with health information (not just those uses and disclosures that could lawfully be made). When plans and providers change their information practices, they would also have to update the notice. Plans and providers would be required to follow the information practices specified in their most current notice.
  
  
• The right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the information.
  
  
• The right to request amendment or correction of protected health information that is inaccurate or incomplete.
  
  
• The right to receive an accounting of the instances where protected health information about them has been disclosed by a covered entity for purposes other than treatment, payment, or health care operations (subject to certain time-limited exceptions for disclosures to law enforcement and oversight agencies).

Administrative requirements and policy development and documentation

This proposed rule would require providers and payers to develop and implement basic administrative procedures to protect health information and the rights of individuals with respect to that information.

• Covered entities would be required to maintain documentation of their policies and procedures for complying with the requirements of the proposed rule. The documentation must include a statement of the entity's practices regarding who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to other entities.
  
  
• Covered entities would be required to have in place administrative systems, appropriate to the nature and scope of their business, that enable them to protect health information in accordance with this rule. Specifically, covered entities would be required to:
  
  
  • designate a privacy official;
  • provide privacy training to members of its workforce;
  • implement safeguards to protect health information from intentional or accidental misuse;
  • provide a means for individuals to lodge complaints about the entity's information practices, and maintain a record of any complaints; and
  • develop a system of sanctions for members of the workforce and business partners who violate the entity's policies.

Scalability

We propose privacy standards that covered entities must meet, but leave the detailed policies and procedures for meeting these standards to the discretion of each covered entity.

• We intend that implementation of these standards be flexible and scalable, to account for nature of each covered entity's business, and the covered entity's size and resources. We would require that each covered entity assess its own needs and implement privacy policies appropriate to its information practices and business requirements.
  
  
• The preamble to the proposed rule will include examples of how implementation of these standards are scalable.

Preemption

Pursuant to HIPAA, this rule will preempt state laws that are in conflict with the regulatory requirements and that provide less stringent privacy protections, with specified exceptions for certain public health functions and related activities.

Enforcement

• Under HIPAA, the Secretary is granted the authority to impose civil monetary penalties against those covered entities which fail to comply with the requirements of this regulation.
  
  
• HIPAA also established criminal penalties for certain wrongful disclosures of protected health information. These penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain.
  
  
• Civil monetary penalties are capped at $25,000 for each calendar year for each standard that is violated.

What this proposed rule does not do

• The HIPAA limits the application of our proposed rule to the covered entities. It does not provide the authority for the rule to reach many entities that receive health information from these covered entities, so the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information.
  
  
• Any provider who maintains a solely paper information system cannot be subject to these privacy standards.
  
  
• There is no statutory authority for a private right of action for individuals to enforce their privacy rights.