Order Code RS20500
Updated June 11, 2003
CRS Report for Congress
Received through the CRS Web
Medical Records Privacy: Questions and
Answers on the HIPAA Final Rule
C. Stephen Redhead
Specialist in Life Sciences
Domestic Social Policy Division
Summary
As of April 14, 2003, health plans and health care providers and their business
associates must be in compliance with new federal regulations to protect the privacy of
medical information. Plans and providers must provide enrollees and patients with a
notice explaining their privacy rights and how their information will be used. The
privacy rule gives patients the right to inspect and copy their medical records. Plans and
providers are permitted to use and disclose health information for routine health care
operations and for various specified national priority activities (e.g., law enforcement,
public health, research). Providers may also share certain information with family
members and others, provided the patient is given the opportunity to object. Prior
written authorization is required for most other uses and disclosures. Plans and
providers are required to have in place reasonable safeguards to protect the privacy of
patient information and limit the information used or disclosed to the minimum amount
necessary to accomplish the intended purpose of the use or disclosure. Entities that fail
to comply with the rule are subject to civil and criminal penalties, but patients do not
have the right to sue for violations of the rule. The health privacy rule does not preempt,
or override, state laws that are more protective of medical records privacy.
Introduction
As of April 14, 2003, health plans and health care providers and their business
associates must be in compliance with the federal health information privacy regulation.
The privacy rule gives patients the right of access to their medical information and
prohibits health plans and health care providers from using or disclosing individually
identifiable health information without a patient’s written authorization except as
expressly permitted or required by the rule. For routine health care operations, including
treatment and payment, plans and providers may use and disclose health information
without the individual’s authorization and with few restrictions. In certain other
circumstances (e.g., disclosures to family members and friends), the rule requires plans
and providers to give the individual the opportunity to object to the disclosure. The rule
also permits the use and disclosure of health information without the individual’s
Congressional Research Service ˜ The Library of Congress

CRS-2
permission for various specified activities (e.g., public health oversight, law enforcement)
that are not directly connected to the treatment of the individual. For uses and disclosures
that are not permitted by the regulation, plans and providers must obtain a patient’s
written authorization.
The privacy rule is having an important and visible impact on the administration of
health care. Anyone enrolling in a health plan, picking up a prescription, or entering a
doctor’s office or hospital must be given a notice that describes their rights under the rule
and explains how the plan or provider intends to use or disclose their health information.
For their part, health plans and health care facilities must have in place reasonable
administrative, technical, and physical safeguards to protect patient information from
intentional or unintentional uses or disclosures that are in violation of the rule.
The health privacy rule is one of several new standards mandated by the 1996 Health
Insurance Portability and Accountability Act (HIPAA) to support the growth of electronic
record keeping and claims processing in the nation’s health care system. The intent of the
legislation is to improve the efficiency and effectiveness of health care by facilitating the
electronic interchange of health information. On August 17, 2000, the Secretary of Health
and Human Services (HHS) issued standards for several electronic health care
transactions between plans and providers (e.g., claims for payment), including the use of
uniform data codes for reporting diagnoses, referrals, authorizations, and medical
procedures. The compliance deadline for the transactions and codes standards is October
16, 2003. On February 20, 2003, the Secretary published security standards to ensure the
confidentiality, integrity, and availability of electronic health information. Most plans and
providers have until April 21, 2005, to comply with the security standards.
The growing use of networked, electronic health information has raised serious
privacy concerns among the public. Patients are increasingly worried about who has
access to their medical information without their express consent. They fear that their
personal health information will be used to deny them employment or insurance. HIPAA
gave Congress until August 21, 1999, to enact comprehensive health privacy legislation,
otherwise the HHS Secretary was instructed to develop health privacy standards. When
Congress missed its self-imposed deadline, the Secretary proposed health privacy
standards on November 3, 1999, and published the final rule on December 28, 2000.
Modifications to the privacy rule were published on August 14, 2002.
Questions and Answers about the Health Privacy Rule
Who is Covered? As specified under HIPAA, the privacy regulation applies to
three groups of entities: (i) individual and group health plans that provide or pay for
medical care; (ii) health care clearinghouses (i.e., entities that facilitate and process the
flow of information between health care providers and payers); and (iii) health care
providers who transmit health information electronically in a standard format in
connection with one of the HIPAA-specified transactions, or who rely on third-party
billing services to conduct such transactions. The rule, therefore, does not apply directly
to other entities that collect and maintain health information such as life insurers,
researchers, employers (unless they are acting as providers or plans), and public health
officials. However, business associates with whom covered entities share health
information are covered. Business associates include persons who provide legal,
actuarial, accounting, data aggregation, management, administrative, accreditation, or

CRS-3
financial services to or for a covered entity. The rule permits a covered entity to disclose
health information to a business associate or to allow the business associate to create or
receive health information on its behalf, provided both parties sign a written contract that
essentially binds the business associate to the covered entity’s privacy practices.
What Types of Health Information are Covered? The rule covers all
individually identifiable health information that is created or received by a covered entity,
including genetic information and information about an individual’s family history. It
applies to both paper and electronic records, as well as oral communications. Non-
identifiable health data, from which all personal identifiers have been removed, are not
subject to the rule.
Can Patients Access and Amend their Health Information? Yes, covered
entities must allow patients to inspect or obtain a copy of their health information, except
in certain limited circumstances. Covered entities may charge a reasonable, cost-based
copying fee. Patients may also request amendment or correction of information that is
incorrect or incomplete. Finally, patients have the right to receive a detailed accounting
of certain types of disclosures of their health information made by covered entities during
the past 6 years. Disclosures for routine health care operations and those made pursuant
to an authorization (see below) are exempt from the accounting requirement.
How May Plans and Providers Use and Disclose Patient Information?
The privacy rule imposes certain restrictions on when and how health plans and health
care providers may use and disclose medical information. Plans and providers may use
and disclose health information for treatment, payment, and other routine health care
operations (TPO) without the individual’s permission and with only a few restrictions.
Patients have the right to request that covered entities restrict the use and disclosure of
their health information for TPO, but covered entities are not required to agree to such a
request.
The privacy rule also permits the disclosure of health information without a patient’s
authorization for various specified national priority activities, consistent with other
applicable laws and regulations. First, disclosures may be made for public health
purposes (e.g., reporting diseases, collecting vital statistics), as required by state and
federal law. Second, health information may be disclosed to public agencies to conduct
health oversight activities such as audits; inspections; civil, criminal, or administrative
proceedings; and other activities necessary for oversight of the health care system. Third,
disclosures may be made to law enforcement officials pursuant to a warrant, subpoena,
or order issued by a judicial officer, or pursuant to a grand jury subpoena. Disclosures for
law enforcement purposes are also permitted pursuant to an administrative subpoena or
summons where a three-part test is met (i.e., the information is relevant, the request is
specific, and non-identifiable information could not reasonably be used). Fourth, health
information may be disclosed in judicial and administrative proceedings if the request
for the information is made through or pursuant to a court order. Fifth, covered entities
may disclose health information to researchers without a patient’s authorization,

CRS-4
provided an Institutional Review Board (IRB) or an equivalent, newly formed “privacy
board” reviews the research protocol and waives the authorization requirement.1
Additionally, health information may be disclosed without authorization: (i) to
coroners, medical examiners, and funeral directors; (ii) to workers’ compensation
programs; (iii) to a government authority authorized to receive reports of abuse, neglect,
or domestic violence; (iv) to organizations in order to facilitate organ, eye, and tissue
donation and transplantation; (v) to government agencies for various specialized functions
(e.g., national security and intelligence activities); (vi) to avert a serious threat to health
or safety; (vii) and in other situations as required by law.
For the most part, the privacy rule addresses permissible uses and disclosures. HHS
expects covered entities to rely on their professional judgement in deciding whether to
permit the use or disclosure of health information covered under the rule. Covered
entities are required to disclose information only to the individual who is the subject of
the information and to HHS for enforcement of the regulation. For all uses and
disclosures of health information that are not otherwise required or permitted by the rule
(e.g., releasing information to financial institutions that offer mortgages and other types
of loans, or selling mailing lists to marketing companies), covered entities must obtain a
patient’s written authorization.
Authorization forms must contain certain specified core elements including a
description of the health information to be used or disclosed and the identity of the
recipient of the information. In general, a covered health care provider may not condition
the provision of treatment on receiving a patient’s authorization. Health plans may
condition enrollment or eligibility for benefits on the provision of an authorization prior
to an individual’s enrollment in the plan. Patients may in writing revoke their
authorization at any time.
Can Medical Information be Shared with a Patient’s Family or Friends?
The rule permits covered entities to disclose information to a family member, relative,
close friend, or other person identified by the individual. Only information that is directly
relevant to such person’s involvement with the individual’s care may be shared. If the
individual is present and able to make health care decisions, the covered entity may
disclose information if the patient has been given, in advance, the opportunity to object
to any disclosures, or the covered entity reasonably infers that the patient does not object.
When the patient is not present, the covered entity may use its professional judgment and
experience with common practice in deciding whether a disclosure is appropriate. A
pharmacist, for example, may allow a family member or other individual to pick up
someone’s prescription.
Does the Rule Block Access by Parents to a Minor’s Information?
Generally, a parent is deemed to have the rights associated with a minor’s health
1 All federally funded research that involves human subjects, as well as clinical trials of new
drugs and medical devices (regardless of the source of funding), are governed by a set of federal
regulations called the Common Rule (45 CFR 46, Subpart A). Under the Common Rule,
research proposals must be approved by an IRB, which decides whether or not to require
informed consent based on the level of risk to the research subjects.

CRS-5
information, including the right to authorize disclosure or to request access to the
information. However, if a minor is authorized by state law to consent to treatment and
has consented to care (with or without the consent of a parent), the rule gives the minor
the rights associated with that information. Whether or not a parent has access to the
information is also largely governed by state law. The rule allows covered entities to
disclose a minor’s information to a parent if such disclosure is permitted or required by
state law. Similarly, disclosure to a parent is prohibited where prohibited by state law.
Are There Limits on the Amount of Information Disclosed? The rule
requires that whenever a covered entity uses or discloses health information, or requests
such information from another covered entity, it must make a reasonable effort to limit
the information to the minimum amount necessary to accomplish the intended purpose
of the use or disclosure. The minimum necessary standard does not apply to: treatment-
related disclosures; disclosures made to patients upon their request; disclosures made to
the Secretary to enforce compliance; any uses or disclosures for which the covered entity
has received an authorization; and uses or disclosures that are required by law.
What about Incidental Disclosures? Incidental uses and disclosures of health
information that occur as a result of a use or disclosure that is otherwise permitted by the
privacy regulation are not considered violations of the rule, provided that the covered
entity has met the reasonable safeguards and minimum necessary standards. Examples
of incidental uses and disclosures include patient sign-in sheets, bedside charts, and
confidential conversations that are inadvertently overheard by others.
Are Covered Entities Required to Explain their Privacy Practices to
Patients? As noted earlier, health plans and health care providers must provide patients
with a written notice of their privacy practices. Plans are required to give notice at
enrollment. Providers that have a direct treatment relationship with the patient are
required to give notice at the date of first service delivery and, except in emergency
situations, make a good faith effort to obtain a written acknowledgment from the patient
of receipt of the notice. The notice must include a description of the patient’s rights, the
legal duties of the covered entity, and a description of the types of uses and disclosures
of information that are permitted, including those that do not require an authorization.
Does the Rule Restrict Employers’ Access to Health Information? The
rule permits a group health plan to disclose individually identifiable health information
to an employer that sponsors the plan, provided the information is used only for plan
administration purposes. In order for a group health plan to disclose health information
to a plan sponsor, the plan documents must be amended so that they limit the uses and
disclosures of information by the sponsor to those consistent with the privacy rule. In
addition, an employer must certify to a group health plan that it will not use the
information for employment-related actions (e.g., hiring and promotion decisions). The
employer must agree to establish adequate firewalls, so that only those employees that
need health information to perform functions on behalf of the group health plan have
access to such information.
Can Medical Information be Used for Marketing? A covered entity may not
disclose health information to a third party (e.g., pharmaceutical company), in exchange
for direct or indirect remuneration, for the marketing activities of the third party without
first obtaining a patient’s authorization. Similarly, a covered entity may not use or

CRS-6
disclose health information for its own marketing activities without authorization.
However, communications made by a covered entity (or its business associate) to
encourage a patient to purchase or use a health care-related product or service are not
defined as marketing under the rule and, therefore, do not require the patient’s
authorization, even if the covered entity is paid. Such communications include
prescription refill reminders and information about alternative treatments, as well as more
controversial activities paid for by third parties (e.g., communications by pharmacies, paid
for by a drug manufacturer, that recommend patients switch their medication to the
company’s product).
What Must Covered Entities do to Ensure Compliance? Covered entities
must have reasonable administrative, technical, and physical safeguards in place,
commensurate with the size and scope of their business, to protect the privacy of patient
information. These include designating a privacy official, training employees, and
developing a system of sanctions for employees who violate the entity’s policies.
Covered entities are not directly liable for the actions of their business associates. They
may be held liable if they know of a business associate’s pattern of activity or practice in
violation of the contract and they fail to take reasonable steps to correct the problem and,
if such steps are unsuccessful, terminate the contract or report the problem to HHS.
Does the Rule Preempt State Health Privacy Laws? As mandated by
HIPAA, the rule does not preempt, or override, state laws that are more protective of
patient privacy. Although most states do not have comprehensive health privacy laws,
many states have detailed, stringent standards governing the use and disclosure of health
information related to certain medical conditions, such as mental illness, genetic testing,
and communicable diseases (e.g., HIV/AIDS). These stronger privacy protections will
remain in force. The rule only preempts state laws that are in conflict with its
requirements and that provide less stringent privacy protections. Therefore, it serves as
a federal “floor” of minimum privacy protections.
How Will the Rule be Enforced? HIPAA did not grant individuals the right to
sue for violations of their health information privacy. Instead, any person who believes
a covered entity is not complying with the privacy rule may file a complaint with HHS’s
Office of Civil Rights (OCR), which is responsible for implementing and enforcing the
rule. HHS officials have said that they intend to work with covered entities to encourage
voluntary compliance, and that enforcement of the rule will be reactive and complaint-
driven. Under HIPAA, OCR has the authority to impose civil monetary penalties against
covered entities that fail to comply with the regulation, and criminal penalties for certain
wrongful disclosures of personal health information. The civil fines are $100 per
incident, capped at $25,000 per year for each provision that is violated. The criminal
penalties include fines of up to $250,000 and up to 10 years in prison for disclosing or
obtaining health information with the intent to sell, transfer or use it for commercial
advantage, personal gain, or malicious harm.
Where Can I Obtain More Information? General information on all the
HIPAA standards can be found at [http://aspe.os.dhhs.gov/admnsimp]. Answers to
frequently asked questions and other details on complying with the privacy rule may be
found at [http://www.hhs.gov/ocr/hipaa]. Additional reports on the privacy rule are
available on the CRS home page at [http://www.crs.gov].