Summary of the Proposed Rule for the Privacy of Individually Identifiable Health Information

On November 3, 1999, the Secretary of Health and Human Services (HHS) issued a proposed rule on patient privacy to implement the security and privacy Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA directed the Secretary, in the absence of legislation governing standards with respect to the privacy of individually identifiable health information, to promulgate final regulations containing such standards by February 21, 2000. Although Congress considered several proposals to protect health information, Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information by the August 1999 deadline imposed by HIPAA. The comment period on the proposed rule closed on February 17, 2000, with HHS receiving more than 40,000 comments on the proposed rule. Final regulations are anticipated this Spring.

Order Code RL30477 CRS Report for Congress Received through the CRS Web Summary of the Proposed Rule for the Privacy of Individually Identifiable Health Information March 22, 2000 Gina Marie Stevens Legislative Attorney American Law Division (name redacted) Law Clerk American Law Division Congressional Research Service ˜ The Library of Congress ABSTRACT The purpose of this report is to provide a summary of the proposed rule issued November 3, 1999 to protect the privacy of individually identifiable health information. The Health Insurance Portability and Accountability Act of 1996 required issuance of a final privacy standard by February 21, 2000. This report will be updated as warranted. Summary of the Proposed Rule for the Privacy of Individually Identifiable Health Information Summary On November 3, 1999, the Secretary of Health and Human Services (HHS) issued a proposed rule on patient privacy to implement the security and privacy Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA directed the Secretary, in the absence of legislation governing standards with respect to the privacy of individually identifiable health information, to promulgate final regulations containing such standards by February 21, 2000. Although Congress considered several proposals to protect health information, Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information by the August 1999 deadline imposed by HIPAA. The comment period on the proposed rule closed on February 17, 2000, with HHS receiving more than 40,000 comments on the proposed rule. Final regulations are anticipated this Spring. Contents Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 General Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Uses and Disclosures with Individual Authorization . . . . . . . . . . . . . . . . . . . . . . 8 Uses and Disclosures When the Individual Initiates the Disclosure (§ 164.508(a)(1)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Uses and Disclosures When the Covered Entity Initiates the Disclosure (§ 164.508(a)(2)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Uses and Disclosures Permitted Without Individual Authorization (§ 164.510) . 9 Uses and Disclosures for Public Health Activities (§ 164.510(b) . . . . . . . 10 Uses and Disclosures for Health Oversight Activities (§ 164.510(c)) . . . . 12 Uses and Disclosures for Judicial and Administrative Proceedings (§ 164.510(d)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Disclosure to Coroners and Medical Examiners (§ 164.510(e)) . . . . . . . . 14 Disclosure for Law Enforcement (§ 164.510(f)) . . . . . . . . . . . . . . . . . . . . 14 Uses and Disclosures for Governmental Health Data Systems (§ 164.510(g)) . . . . . . . . . . . . . . . . . . . . . . . . . 17 Disclosure of Directory Information (§ 164.510(h)) . . . . . . . . . . . . . . . . . 17 Disclosure for Banking and Payment Processes (§ 164.510(i)) . . . . . . . . . 18 Uses and Disclosure for Research (§ 164.510(j)) . . . . . . . . . . . . . . . . . . . 19 Use and disclosure in emergency circumstances (§ 164.510(k)) . . . . . . . . 20 Disclosure to Next-of-Kin (§ 164.510(l)) . . . . . . . . . . . . . . . . . . . . . . . . . 20 Uses and Disclosures for Specialized Classes (§ 164.510(m)) . . . . . . . . . . 21 Uses and Disclosures Otherwise Required by Law (§ 164.510(n)) . . . . . . 21 Individual Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Written Notice of Information Practices (§ 164.512) . . . . . . . . . . . . . . . . 22 Access for Inspection and Copying (§ 16.514) . . . . . . . . . . . . . . . . . . . . . 23 Accounting of Disclosures (§ 164.15) . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Amendment and Correction (§ 164.516) . . . . . . . . . . . . . . . . . . . . . . . . . 23 Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Preemption (§ 160.203) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Compliance and Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Effective Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Summary of the Proposed Rule for the Privacy of Individually Identifiable Health Information Background On November 3, 1999, the Secretary of Health and Human Services (HHS) issued a proposed rule1 on patient privacy to implement the security and privacy Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).2 The comment period on the proposed rule closed on February 17, 2000.3 Final regulations are anticipated this spring. The privacy rule is one of several proposed rules published by HHS to implement the Administrative Simplification provisions of the HIPAA.4 Sections 261 through 264 of HIPAA are known as the Administrative Simplification provisions.5 Section 262 directs HHS to issue standards to facilitate the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit electronically in connection with such transactions.6 Section 262 also directs HHS to develop standards to protect the security, including the confidentiality and integrity, of such information. Section 264 requires the Secretary of HHS to develop and submit to the Congress recommendations for the privacy rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized.7 Section 264 also directs the Secretary, in the absence of legislation governing standards with respect to the privacy of individually identifiable health information, to promulgate final regulations containing such standards by February 21, 2000. 1 Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59917 60065 (to be codified at 45 C.F.R. pt. 160 - 164 (Nov. 3, 1999) <http://aspe.hhs.gov/admnsimp/nprm/pvclist.htm>; See also Hearing on the Confidentiality of Patient Records, Testimony Before the Subcommittee on Health of the House Committee on Ways and Means, 106th Congress (2000) <http://www.house.gov/ways_means/health/106cong/2-17-00/2-17hamb.htm >. 2 P.L. 104-191; 42 U.S.C. § 1320d et seq. 3 64 Fed. Reg. 69981 (December 15, 1999). 4 Administrative Simplification Rules, < http://aspe.hhs.gov/admnsimp/nprm/index.htm >. 5 See, CRS Report 98-964, The Health Insurance Portability and Accountability Act(HIPAA): Summary of the Administrative Simplification Provisions. (Nov. 18, 1998). 6 42 U.S.C. §1320d-2. 7 42 U.S.C. §1320d-2 note. CRS-2 Although Congress considered several proposals to protect health information, Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information.8 The Secretary made preliminary recommendations to Congress on September 11, 1997 on ways to protect individually identifiable information.9 In the absence of federal legislation, on November 3, 1999 the Secretary issued a proposed rule to implement the Administrative Simplification privacy standard of HIPAA.10 In the rule, HHS proposes to establish a new 45 CFR subchapter c, parts 160 through 164. Part 160 consists of general administrative requirements (general provisions and preemption of state law), parts 161 - 163 [reserved] will consist of the various Administrative Simplification regulations relating to transactions and identifiers, and part 164 consists of the regulations implementing the security and privacy requirements of HIPAA. In the proposed rule, HHS recognized that efforts to provide legal protection against the inappropriate use of individually identifiable health information have been made primarily by the States, and that state protections are by and large incomplete, and at times, inconsistent. HHS concluded that a clear and consistent set of privacy standards would improve the effectiveness and efficiency of the health care system. The proposal of the Secretary of Health and Human Services is intended to strike a balance between an individual’s right to privacy of their medical records and the public policy needs to have access to these medical records to promote public safety. Specifically the proposed regulations are intended to “make the use and exchange of protected health information relatively easy for health care purposes, and more difficult for purposes other than health care.”11 Thus, the information is available to those with legitimate needs after satisfying prerequisites; while not being available as a general rule. These proposed regulations apply to a specified set of covered entities: health care providers, health plans, and to health care providers who transmit the information in electronic form.12 The materials that “covered entities”13 transmit electronically 8 See generally, Harold Relyea, Stephen Redhead, (name redacted), CRS Issue Brief IB98002, Medical Records Confidentiality. (Updated regularly). 9 Confidentiality of Individually-Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996. < Http://aspe.os.dhhs.gov/admnsimp/pvcrec.htm >. 10 See generally, Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59917 (1999). 11 12 See id. at 59924. See id. See generally Hearing on the Confidentiality of Patient Records supra note 1 (Statement of N. Stephen Ober, M.D., President and Chief Executive Officer, Synergy Health Care, explains that the transfer of health information via electronic means has grown rapidly. “...Today 62% of all healthcare claims are precessed electronically, and for hospital and pharmacy claims the percentage is over 80%. In 1998 some 2.7 billion out of a total 4.4 billion claims were processed electronically....”) See id. See generally Hearing on the Confidentiality of Patient Records supra note 1 (Statement of N. Stephen Ober, M.D., (continued...) CRS-3 would include: the information itself (not the particular records in which the information is contained), and the information as it is transformed by the receiver be it paper or electronic file.14 The release of individually identifiable health care information would be allowed under certain approved circumstances. Treatment, payment, and health care operations are permissible uses for which disclosure, without individual authorization, is approved.15 Additionally, public policy approves the disclosure of this information for “national priority activities, such as reducing health care fraud, improving quality of treatment through research, protecting the public health, and responding to emergency situations.”16 Health care fraud is an example which clearly illustrates the need for access to individually identifiable health care information.17 In order to uncover health care fraud, an individual’s care would need to be assessed for unnecessary treatments or bills for services which were never rendered.18 Some studies estimate that Medicare and Medicaid fraud cost the state and federal government tens of billions of dollars per year.19 Thus, access to individual health care information becomes vital in stopping and prosecuting health care fraud and abuse.20 12 (...continued) President and Chief Executive Officer, Synergy Health Care, explains that the transfer of health information via electronic means has grown rapidly. “...Today 62% of all healthcare claims are precessed electronically, and for hospital and pharmacy claims the percentage is over 80%. In 1998 some 2.7 billion out of a total 4.4 billion claims were processed electronically....”) 13 See id. at 59924 passim. 14 Id. 15 See id. at 59925. 16 See id., See also Hearing on the Confidentiality of Patient Records supra note 1(In order for there to be disclosures for purposes other than treatment, payment, and operations “specific conditions would have to be met in order for the use or disclosure of protected health information [would be] permitted.”) 17 (name redacted), Jennifer O’Sullivan, CRS Report 97-895, Health Care Fraud: A Brief Summary of Law and Federal Anti-Fraud Activities, p. 1 (Updated Sept. 24, 1997) (“Health care fraud has been described as an intentional attempt to wrongfully collect money relating to medical services....”) 18 Health Law, Cases, Materials, and Problems 574 (Barry R. Furrow et al. Eds., 1997). See also supra note 10, at 1. (“Fraud and abuse commonly involve improper billing practices by health care providers and consumers....”) 19 20 See id. Katheryn Ehler-Lejcher, The Expansion of Corporate Compliance: Guidance for Health Care Entities, 25 Wm. Mitchell L. Rev. 1339 (1999) (citing that the DOJ has recouped millions of dollars via litigation over health care fraud and abuse. Similarly the Office of the Inspector General for DHHS has expanded its efforts in curbing incidents of health care fraud and abuse.) Id. CRS-4 However, privacy in medical records poses a very legitimate ethical issue. Because we are discussing individually identifiable health care information, it means that this information is linked to the individual patient.21 Therefore, confidentiality poses a challenge to ensure that proper policy and legal constraints are maintained to guarantee that unauthorized access is not obtained.22 The best case scenario would be to obtain permission directly from the individual whose records for health information is sought.23 However, instances do exist in which individual approval is not obtainable.24 What follows is a discussion of the privacy rule, a description of the policies and procedures that would govern the circumstances under which protected health information may be used and released with and without patient authorization, and the requirements with respect to a patient’s right of access to her or his protected medical information. Applicability HIPAA limits the scope of the Secretary’s regulations to the following covered entities: ! Health plans25 21 Patricia I. Carter, Health Information Privacy: Can Congress Protect Confidential Medical Information In The “Information Age,” 25 Wm. Mitchell L. Rev. 223, 234 (1999). 22 Id. at 235. But see Hearing on the Confidentiality of Patient Records supra note 1 (William G. Plested, III, M.D., testifying on behalf of the American Medical Association (AMA) that the “proposed regulation...does not adequately protect patient confidentiality and privacy and that substantially and unacceptably increases administrative burdens for physicians.” 23 Id. at 234. 24 See generally supra note 1 at 59925. 25 Health plan means an individual or group plan that provides, or pays the cost of, medical care. Such term includes, when applied to government funded or assisted programs, the components of the government agency administering the program. “Health plan” includes the following, singly or in combination: (1) A group health plan, defined as an employee welfare benefit plan (as currently defined in section 3(1) of the Employee Retirement Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance or otherwise, that: (i) Has 50 or more participants; or (ii) Is administered by an entity other than the employer that established and maintains the plan. (2) A health insurance issuer, defined as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State or other law that regulates insurance. (3) A health maintenance organization, defined as a federally qualified health maintenance organization, an organization recognized as a health maintenance organization under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. (continued...) CRS-5 ! Health care clearinghouses,26 and ! Health care providers27 who engage in electronic administrative simplification transactions.28 25 (...continued) (4) Part A or Part B of the Medicare program under title XVIII of the Act. (5) The Medicaid program under title XIX of the Act. (6) A Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss). (7) A long-term care policy, including a nursing home fixed-indemnity policy. (8) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. (9) The health care program for active military personnel under title 10 of the United States Code. (10) The veterans health care program under 38 U.S.C. chapter 17. (11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in 10 U.S.C. 1072(4). (12) The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601, et seq.). (13) The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. (14) An approved State child health plan for child health assistance that meets the requirements of section 2103 of the Act. (15) A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under 42 CFR part 422, subpart K. (16) Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care. 26 “Health care clearinghouse means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. The entity receives health care transactions from health care providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers and clearinghouses. Billing services, repricing companies, community health management information systems, community health information systems, and ``value-added'' networks and switches are considered to be health care clearinghouses for purposes of this part, if they perform the functions of health care clearinghouses as described in the preceding sentences.” 64 Fed. Reg. at 60049. 27 “Health care provider means a provider of services as defined in section 1861(u) of the Act, a provider of medical or health services as defined in section 1861(s) of the Act, and any other person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business.” 64 Fed. Reg. at 60050. 28 “Transaction means the exchange of information between two parties to carry out financial or administrative activities related to health care. It includes the following: (1) Health claims or equivalent encounter information; (2) Health care payment and remittance advice; (3) Coordination of benefits; (4) Health claims status; (5) Enrollment and disenrollment in a health plan; (continued...) CRS-6 In the regulations, HHS expressed concern that many of the holders of health information fall outside the scope of the proposed rule because of its limited regulatory authority, and therefore cannot be covered by the regulation pursuant to HIPAA.29 Examples of such health information holders include: ! Many of the persons who obtain identifiable health information from the covered entities (e.g., contractors, researchers, public health officials, workers compensation carriers, researchers, life insurance issuers, employers and marketing firms).30 ! Many of the persons that covered entities hire to perform administrative, accounting, legal, and similar services for them, and who obtain health information in order to perform their duties. ! Any provider who maintains a solely paper information system In background comments to the proposed rule HHS noted that it was prohibited from proposing optimal policies to protect individually identifiable information because it lacked authority to apply the proposed rule directly to any entity that is not a covered entity. In response to this gap, HHS requires covered entities to apply many of the provisions of the proposed rule to entities with whom they contract for administrative and other services. The proposed rule applies only to a subset of individually identifiable health information – that which is maintained or transmitted by covered entities and which is or has been transmitted in electronic form. Once the information has been maintained or transmitted electronically by a covered entity, the protections of the rule 28 (...continued) (6) Eligibility for a health plan; (7) Health plan premium payments; (8) Referral certification and authorization; (9) First report of injury; (10) Health claims attachments; and (11) Other transactions as the Secretary may prescribe by regulation.” 64 Fed. Reg. at 60050. 29 See also Hearing on the Confidentiality of Patient Records, Testimony Before the Subcommittee on Health of the House Committee on Ways and Means, 106th Congress (2000)< http://www.house.gov/ways_means/health/106cong/2-17-00/2-17hamb.htm > (Statement by the Honorable Margaret A. Hamburg, M.D. that the scope of the proposed regulations include “health care providers who transmit health information electronically, health plans, and health care clearinghouses...Protection would start when information becomes electronic, and would stay with the information as long as the information is in the hands of a covered entity....The paper progeny of electronic information is covered....”) But see id. (Testimony of Janlori Goldman, Director, Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, strongly urges Congress to pass a more comprehensive regulation which would apply to “all those who generate, maintain, or receive protected health information.”) (emphasis in the original). 30 64 FR 59923. CRS-7 follow the information in whatever form, including paper records, in which it exists (while it is held by a covered entity). HHS expressed concern about the potential confusion that could result from its proposal with some health information protected while other similar information (paper records not maintained or transmitted electronically) would not be. Based on its belief that application of the proposed rule only to information in an electronic form will not result in adequate protection for consumers, HHS requested comment on whether it should extend the scope of the rule to all individually identifiable information, including purely paper records, maintained by covered entities. Cognizant of the issue that extending its regulatory coverage might be inconsistent with the intent of the provisions in HIPAA, HHS nonetheless stated “... we believe that we do have the authority to do so and that there are sound rationale for providing a consistent level of protection to all individually identifiable health information held by covered entities.”31 General Rules ! Covered entities are prohibited from using and disclosing protected health information (PHI) except as provided (§ 164.506) ! Covered entities can use or disclose PHI with individual authorization (§ 164.508) ! Covered entities can use or disclose PHI without individual authorization (§ 164.510) ! ! ! ! ! for treatment, payment, and health care operations; for specified public and public policy-related purposes (including public health, research, health oversight, law enforcement, and use by coroners; when required by other law (such as mandatory reporting under state law or pursuant to search warrant)Covered entities are required to disclose PHI to permit individuals to inspect and copy PHI about themselves (§ 164.514) for enforcement of this rule (§ 164.522) With certain exceptions, permitted uses and disclosures of protected health information would be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed, taking into consideration practical and technical limitations and costs. (§ 164.506(a)). The proposed rule would also require, with narrow exceptions, covered entities to ensure that their business partners with whom they share protected information understand through contractual requirements that they are subject to standards regarding use and disclosure of PHI, and agree to abide by such rules. (§ 164.506(e)). 31 Id. at 59924. CRS-8 The contract between the covered entity and its business partner must limit the business partner’s uses and disclosures of PHI to those permitted by the contract, and impose certain security, inspection and reporting requirements on the business partner. The privacy standards are to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan. Implementation of the standards is to be flexible and scalable, to account for the nature of each covered entities business, as well as its size and resources. Uses and Disclosures with Individual Authorization Uses and Disclosures When the Individual Initiates the Disclosure (§ 164.508(a)(1)) Under the proposed rule, authorizations must meet the following requirements: ! ! ! ! ! The authorization must include a description of the information to be used or disclosed.The authorization does not have to state the purpose for the disclosure. The authorization must identify sufficiently the covered entity or entities that would be authorized to use or disclose protected health information.The authorization must identify the person or persons that would be authorized to use or receive the protected health information. The authorization must state a specific expiration date. The authorization must include a signature or other authentication (e.g., electronic signature) and the date of the signature.The authorization must include a statement that the individual understands that she or he make revoke the authorization. The authorization must clearly state that when an individual authorizes disclosure of health information to other than a covered entity, the information would no longer be protected once it leaves the covered entity. Uses and Disclosures When the Covered Entity Initiates the Disclosure (§ 164.508(a)(2)) In addition to the requirements above (when the individual initiates the disclosure), when a covered entity initiates the authorization by asking the individual to authorize the disclosure, the following requirements must be met: ! The authorization must include a statement that identifies the purposes for which the authorization is sought as well as the proposed uses and disclosures of that information. Uses or disclosures inconsistent with that statement would constitute a violation of the regulation.The authorization must be narrowly tailored to authorize use or disclosure of only the protected health CRS-9 ! information necessary to the accomplish the purpose specified in the authorization. Broad or blanket authorizations are prohibited. Covered entities are required to advise individuals that they may inspect or copy the information to be used or disclosed, that they may refuse to sign the authorization, and that treatment or payment could not be conditioned on the patient’s authorization. The covered entity must provide the individual with a copy of the signed authorization form.If the covered entity will be receiving financial or in-kind compensation in exchange for using or disclosing the health information the authorization must include a statement that the covered entity will gain financially from the disclosure. The regulations include a model form that covered entities and third parties that wish to have information disclosed to them could use to request authorization from individuals for use or disclosure.32 The regulations also propose that all authorizations be written in plain language, and that covered entities be prohibited, except in the case of certain clinical trials, from conditioning treatment or payment for health care on obtaining an authorization for purposes other than treatment, payment or health care operations. A covered entity would not be permitted to obtain an authorization for use or disclosure of information for treatment, payment or health care operations unless required by applicable law. Where such authorization is required by law, it could not be combined with an authorization in the same document for any purpose other than payment, treatment or health care operations (e.g., research). Covered entities would be required to keep a record of all disclosures for purposes other than payment, treatment or health care operations including those made pursuant to authorization. When an individual requests such an accounting or a copy of a signed authorization form, the covered entity is required to provide it. An individual is permitted to revoke an authorization at any time except to the extent that action has been taken in reliance on the authorization. If the authorization has any of the following defects, the effect would be that there would be no authorization: the date has expired, it lacks a required element, it has not been filled out completely, it is known to have been revoked or the information on the form is known by the person holding the records to be materially false. Uses and Disclosures Permitted Without Individual Authorization (§ 164.510) Throughout the entirety of section E of the proposed federal regulation on privacy of individually identifiable health information, the proposal emphasizes the proper functioning of the health care system as a whole.33 The categories in this section are intended to “permit and promote key national health care priorities and to 32 33 Id. At 60065. See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212 §164.510 (1999) (to be codified at 45 C.F.R. pt. 160 - 164) (proposed Nov. 3, 1999). CRS-10 ensure that the health care system operates smoothly.”34 The purpose of this section of the proposed regulation is to facilitate the use or disclosure without the individual’s authorization, however the rule is intended to grant permission without creating a mandate.35 At first the drafters considered allowing the use and disclosure of information only where an affirmative legal requirement mandated its use or disclosure.36 In the final draft, the proposal permits the covered entity to use or disclose the information regardless of a legal mandate, because the activities described in the proposal benefits society as a whole,37 expressing the sentiment that the good of the whole outweighs that of the individual.38 Yet, in categories such as psychiatric and substance abuse records the release of the information would have to conform to the more stringent guidelines of the applicable law, even if the law refuses to allow its use.39 Moreover, if other law requires that the information be reported, the covered entity must comply.40 Summarily, this proposed regulation would not give a covered entity authority to “restrict or refuse to make a use or disclosure mandated by other law.”41 Uses and Disclosures for Public Health Activities (§ 164.510(b) The first category of permitted uses or disclosures deals with Public Health Activities.42 Where authorized by law, the covered entity may disclose health information to authorized public health officials without an individual’s authorization.43 Also, where authorized by law, the covered entity may disclose individually identifiable health information to non-governmental entities who are responsible for conducting public health activities.44 In conjunction with other authorizing law, the proposal would allow disclosure to those “persons who are at risk of contracting or spreading a disease.”45 Similarly, when a public hospital or local health department (a government agency) is also the covered entity, an individual’s 34 Id. 35 See id. 36 See id. 37 See id. 38 See id. 39 See id. 40 See id. 41 See id. 42 See supra note 1, at §164.510(b). 43 See id. 44 See id. 45 Id. CRS-11 health information may be disclosed to the extent allowable elsewhere in this section of the proposed regulations.46 As elsewhere in the proposed regulations, the public health activities requirement strives to balance the individual’s right to privacy with the overall well-being of the community as a whole.47 The need for protected health information is created by the priority to protect the public health.48 Thus, creating the need for the individually identifiable health information to ensure that public health officials are able to fulfill their obligations to “promoting health and quality of life by preventing and controlling disease, injury, and disability.”49 These public health functions are to be given a broad reading to disclose a wide range of public health activities.50 Examples of these public health activities include: “reporting of vital events such as birth and death to vital statistics agencies....[and] activities undertaken by the FDA to evaluate and monitor the safety of food, drugs, medical devices, and other products.”51 As exemplified by the FDA, the public health authorities given access would not be limited to traditional entities such as the public health department.52 Additionally, non-governmental agencies would also have authority to request individually identifiable health information.53 One example may be a “device manufacturer that collects information under explicit legal authority, or at the direction of the Food and Drug Administration.”54 Yet, another example could be a teaching hospital or university that has contracted with public health authorities.55 Finally, a third sub-category of individuals who may receive individually identifiable health information are those who “could have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and is authorized by law to be notified....”56 46 See id. 47 See supra note 1, at §164.510(b)(a). 48 See id. 49 Id. 50 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212 §164.510, at §164.510 (b)(b) (1999). 51 Id. 52 Id. at §164.510 (b)(c)(i). 53 See id. at §164.510 (b)(c)(ii). 54 Id. 55 See id. 56 Id. at §164.510 (b)(c)(iii). CRS-12 Uses and Disclosures for Health Oversight Activities (§ 164.510(c)) Next, the proposed regulations would permit agencies that are public oversight agencies access to protected health information for use in activities which are authorized by law.57 This rule defines a public oversight agency “as a public agency authorized by law to conduct oversight activities relating to the health care system, a government program for which health information is relevant to determining beneficiary eligibility or a government regulatory program for which health information is necessary for determining compliance with program standards.”58 Uses and Disclosures for Judicial and Administrative Proceedings (§ 164.510(d)) The proposed regulation, § 164.510(d) advances that covered entities may disclose protected health information pursuant to an order by a court or administrative tribunal.59 An actual court order may not be needed if the protected health information being requested relates to either the party in the proceeding for which it is requested, or if the disclosure is otherwise available through the proposed regulation.60 Another instance, which may preclude the necessity of a court order, is one in which a party to the judicial or administrative proceeding is both a government entity and also the covered entity with the information.61 Summarily, the proposal would “permit covered entities to disclose protected health information in a judicial or administrative proceeding if the request for such protected health information is made through or pursuant to a court order or an order by an administrative law judge specifically authorizing the disclosure of protected health information.”62 This section of the proposed regulation is intended to provide access to individual health information in situations that involve judicial and administrative proceedings.63 It anticipates that “litigants, government agencies, and others request information for judicial or administrative proceedings, including judicial subpoenas, 57 See id. at §164.510 (c)(a). 58 Id. at §164.510 (c)(b). (Examples of such agencies include: first category-State Medicaid fraud control units; second category-Department of Education; third category-Occupational Health and Safety Administration.) Id. 59 Standards for Privacy of Individually Identifiable Health Information see supra note 1, at 59958. See also (name redacted), Congressional Research Service, Law EnforcementAccess to Third Party Records: Legal Attributes of Procedural Alternatives 7 (General Distribution Memo) (1999). (“Administrative subpoenas may be either investigative (roughly analogous to a grand jury subpoena) or adjudicatory (roughly analogous to a trial subpoena) depending upon the nature of the administrative context in which they arise.”) 60 Standards for Privacy of Individually Identifiable Health Information, see id. But see Hearing on the Confidentiality of Patient Records supra note 12. (The AMA recommends that an order be required for access to records for all judicial and administrative hearings.) 61 Standards for Privacy of Individually Identifiable Health Information, see id. 62 Id. at 59959. 63 See id. CRS-13 subpoenas duces tecum, notices of deposition, interrogatories, and administrative proceedings….”64 The covered entity would be required to confirm the validity of such order prior to releasing the information.65 This confirmation would simply entail determining “that the request is pursuant to a court order…or if the individual who is the subject of the protected health information is a party to the proceeding and his or her medical condition or history is at issue.”66 Yet, the covered entity would not be required in this instance to conduct an independent investigation to determine the legality of the court order or request.67 Simply reviewing the request and finding it compliant with the terms of the proposed regulation would be sufficient.68 For example, if the request is accompanied by a court order, the covered entity may rely on the statement within the order, which requests the individual’s health information.69 However, the covered entity may not release more information than is requested by the order.70 When a request is not accompanied by a court order, the covered entity must determine the following: “whether the request relates to the protected health information of a litigant whose health is at issue, a written statement from the requester certifying that the protected health information being requested is about a litigant to the proceeding and that the health condition of such litigant is at issue at such proceeding.”71 Also, under these proposed regulations, the party to the proceeding who is seeking the release of the information would generally need to seek judicial review prior to submitting the request.72 The exception to this requirement would be one in which the information is relevant to the proceeding, which allows for the party in opposition to object through his or her counsel.73 Finally, the proposed regulations also note that more stringent rules exist which protect individual medical information, and acknowledge that these other rules would remain in place.74 For example, when the topic of the medical records is disclosing 64 Id. 65 See id.. 66 Id. 67 See id. 68 See id. 69 See id. 70 See id. 71 Id. 72 See id. 73 See id. 74 See id. CRS-14 substance abuse or psychiatric records, the current federal and state laws would continue to govern these cases.75 Disclosure to Coroners and Medical Examiners (§ 164.510(e)) Because coroners and medical examiners have a legal duty to “identify deceased persons and determine cause of death,” they maintain a legitimate need for readily available individually identifiable health information.76 This portion of the proposed regulation is particularly important for expediency reasons, since there is a limited amount of time in which an autopsy may be done after death.77 However, covered entities would have an obligation to “verify the identity of the coroner or medical examiner making the request...and the legal authority supporting the request.”78 Disclosure for Law Enforcement (§ 164.510(f)) Law enforcement officials have enhanced access to individual medical records when conducting criminal investigations.79 The proposed regulations would not curb law enforcement access to these medical records, only require them in some instances to gain a subpoena or warrant in order to gain access.80 Section 164.510(f) permits covered entities to release individually identifiable health information without the individual’s authorization when the law enforcement official is acting in his or her official capacity with certain qualifications.81 The law enforcement official may be conducting lawful intelligence activities.82 Other incidents may include, when the law enforcement official needs the protected health information and it is related to the “victim of a crime, abuse or other harm, if the information is needed to determine both whether a violation of law by a person other than the victim has occurred and whether an immediate law enforcement activity might be 75 See id. (referencing the governing of substance abuse records under 42 U.S.C. 290dd-2 which implement 42 CFR part 2; and the discovery of psychiatric records under Jaffee v. Redmond, 116 S.Ct. 1923 (1996)). 76 Id. at §164.510(e). 77 See id. 78 Id. 79 See supra note 11 at 282. 80 See supra note 1 at 59960 – 59961. But see Hearing on the Confidentiality of Patient Records supra note 12. (The AMA believes that law enforcement should be allowed access to an individual’s medical information only via a court order. In his testimony for the AMA, Dr. Plested explained that “[p]hysicians and their patients have repeatedly experienced the intrusion of law enforcement into patients’ personal medical information when no need for identifiable information is established and no protections are provided. The unfortunate result is less-rather than greater-confidence in the law enforcement and judicial systems of this country.”) 81 Standards for Privacy of Individually Identifiable Health Information, see id. at 59960. 82 See id. CRS-15 necessary.”83 A health care provider or health plan may act in good faith to release information to a law enforcement agent when a crime is suspected of being committed.84 “[I]f the plan or provider believed in good faith that the disclosed protected health information would constitute evidence of criminal conduct that constitutes health care fraud occurred on the premises of the covered entity, or was witnessed by an employee of the covered entity.”85 Many of these requirements that precede the release of protected health information are consistent with the rules governing criminal procedure. Most notably they are consistent with the Fourth Amendment to the Constitution. The Fourth Amendment to the Constitution provides, “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”86 In order for a person to qualify for the Fourth Amendment protections they must satisfy two requirements: the person must demonstrate actual, subjective, expectation of privacy; and this expectation of privacy must be one that society recognizes as being legitimate.87 Society generally recognizes that a person has a right to privacy in regard to their medical records.88 Thus, necessitating a warrant in order to divulge the contents of these protected records or probable cause to proceed without a warrant. A law enforcement official must have probable cause89 prior to a search taking place. In order to have probable cause for a search it must be more likely than not that the specific items to be searched for are connected with criminal activity; and that these items will be found in the place to be searched.90 Furthermore, when there are exigent circumstances the warrant clause may not apply.91 The most common exigent circumstances are as follows: preventing the imminent destruction of evidence, preventing harm to persons, and being in “hot pursuit” of a suspect.92 83 Id. 84 See id. 85 Id. 86 U.S. Const. Amend. IV. 87 See, Katz v. United States, 389 U.S. 347 (1967). 88 See supra note 11 at 231. 89 See Doyle, supra note 15, at 1 n.2. (The meaning of probable cause for law enforcement is that it is a “fair probability that contraband or evidence of a crime will be found in a particular place,” Illinois v. Gates, 462 U.S. 213, 238 (1983)). 90 See American Criminal Procedure Cases and Commentary 67 - 94 (Stephen A. Saltzburg & Daniel J. Capra eds., 5th ed. 1996). 91 See id. at 278 – 299. 92 See id. CRS-16 This brief Fourth Amendment information will assist in further reviewing the proposed regulations in regard to law enforcement. Many of the prerequisites for law enforcement officials are reflective of the standards in criminal procedure. Many times the law enforcement official will obtain necessary evidence by first obtaining a “judicially executed warrant, an administrative subpoena, or a grand jury subpoena.”93 Thus, this step of the legal process is consistent with the Fourth Amendment requirement.94 Yet, the proposed regulations also allow for other circumstances, such as time constraints to necessitate the release of information without first obtaining a warrant.95 The example which is given is when “health information may be needed when a law enforcement official is attempting to apprehend an armed suspect who is rapidly fleeing.”96 This example also parallels when the Warrant Clause of the Fourth Amendment would not apply in exigent circumstances.97 The exigent circumstance here is “hot pursuit,” the officer is chasing a fleeing suspect. When the release of protected health information is in the public interest the proposed regulations favor making them available to law enforcement officials.98 Specifically when the information is being sought as part of an investigation or as evidence at trial.99 The proposed regulation suggests that the covered entity review an administrative request by applying a three-part test.100 The distinction put forth is that the administrative actions lack the protections that exist with an independent judicial officer or the secrecy of a grand jury.101 Therefore, a “covered entity could disclose protected health information pursuant to an administrative request, [after determining that] (i) the records sought are relevant and material to a legitimate law enforcement inquiry; (ii) the request is as specific and narrowly drawn as reasonably practicable; and (iii) de-identified information could not reasonably be used to meet the purpose of the request.”102 93 Standards for Privacy of Individually Identifiable Health Information, supra note 1, at 59960. 94 See supra note 39. 95 See supra note 46. 96 Id. 97 See supra note 43. 98 Standards for Privacy of Individually Identifiable Health Information, see supra note 1, at 59960. 99 See id. 100 Standards for Privacy of Individually Identifiable Health Information, see supra note 1, at 59961. 101 See id. 102 Id. CRS-17 Once more, the Federal law regarding substance abuse would remain in effect.103 This regulation would not pre-empt the protections given psychiatric and substance abuse records.104 The regulations seek to suspend enforcement of the regulation should the covered entity “disclose protected health information to law enforcement officials in a good faith belief that the disclosure was permitted under [the] title.”105 In keeping with the overall intent of the proposed regulation, the balance between the greater public good and the privacy of the individual is sought.106 Uses and Disclosures for Governmental Health Data Systems (§ 164.510(g)) As part of the government’s efforts to “improve public policies and program management, improve health care and reduce costs, and improve information available for the consumer,” protected health care information may be made available to government agencies who collect and analyze data.107 The government uses the health care data to analyze and improve all aspects of the health care system.108 Not all states explicitly provide authority to collect this data, therefore, specific legal authority need not be a prerequisite for permitting access to this information.109 In fact, many agencies rely on a broad authority for legal access to such information. Thus, this access would continue under the proposed regulations.110 Disclosure of Directory Information (§ 164.510(h)) This section of the proposed regulations focuses narrowly on inpatient facilities.111 The proposed regulations apply to the patient directories which are kept to provide general information on the patient such as “allowing confirmation of a person’s presence in a facility, providing the room number for visits and deliveries, 103 Standards for Privacy of Individually Identifiable Health Information, see supra note 1, at 59963. 104 See id. 105 Standards for Privacy of Individually Identifiable Health Information, supra note 1, at 59964. 106 See id. 107 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212 §164.510(g) (1999). 108 Id. 109 See id. 110 See id. 111 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212 §164.510(h) (1999). CRS-18 and sometime providing general information on the patient’s condition.”112 As these services cannot be provided without revealing an individual’s health information, the proposed regulations require that the covered entity first seek the approval of the patient.113 Should the patient be incapacitated then the proposed regulations indicate that a legal guardian or representative for the patient be asked to make the decision.114 If a patient is incapacitated without a guardian, or admitted to the facility in an unconscious state, the covered entity is authorized to make the determination. However, should the patient’s condition improve or a legal representative present themselves, they should be consulted as to their wishes at the earliest possible time.115 Disclosure for Banking and Payment Processes (§ 164.510(i)) Means of payment may often times identify the condition for which treatment was received.116 However, the proposed regulations would not seek to impede this process due to its negative impact on the health care system.117 For the purposes of collecting, billing, or authorizing payment of healthcare, minimal information would be allowed to be released under the proposed regulations.118 It would not be appropriate to include diagnostic or treatment information, however information that would be permissible includes: “(1)name and address of account holder; (2) the name and address of the payer or provider; (3) the amount of the charge for health service; (4)the date on which the health services were rendered; (5) the expiration date for the payment mechanism, if applicable...(6) the individual’s signature.”119 While the proposed regulations limit the information which may be provided to a financial institution, it is recognized that financial institutions may offer services beyond banking.120 Under these circumstances, the regulations leave room for a banking institution to provide tracking services, or business partnerships.121 In these instances, the regulations would expand to approve further exchanges of health information.122 112 Id. at §164.510(h)(a). 113 See id. at §164.510(h)(b). 114 See id. 115 See id.. at §164.510(h )(b)(i), at §164.510(h)(b)(ii). 116 See id. at §164.510(i). 117 See id. 118 See id. 119 Id. 120 See generally supra note 39. 121 See id. at §164.510(i)(b). 122 See id. CRS-19 Uses and Disclosure for Research (§ 164.510(j)) The proposed regulations in §164.510(j) concern the use and disclosure of individually identifiable health information for research purposes.123 The health information may be disclosed for research, regardless of the funding source as long as written requirements are fulfilled. In order to allow use or disclosure the covered entity must obtain in writing: waiver of authorization, date of approval, categories of criteria, and required signature.124 More specifically, the proposed regulations intend for the covered entities to enter into a written contract with the researcher, before they may access individually identifiable health information without the specific authorization of the individual.125 The waiver of authorization must be approved by either an Institutional Review Board (IRB), or a privacy board.126 The requirements of the IRB are codified at 45 CFR 46.107.127 Otherwise, the review board must meet three suggested criteria: (A) Has members with varying backgrounds and appropriate professional competency as necessary to review the research protocol; (B) Includes at least one member who is not affiliated with the entity conducting the research or related to a person who is affiliated with such entity; and (C) Does not have any member participating in a review of any project in which the member has a conflict of interest.128 Should a review board not meet this criteria, the covered entity would then not be permitted to disclose the information. However, if the review board meets the criteria, then the date of approval must accompany the approval of the waiver.129 The review board must determine that the authorization satisfies the following: ! The use or disclosure of protected health information involves no more than minimal risk to the subjects; ! The waiver will not adversely affect the rights and welfare of the subjects; ! The research could not practicably be conducted without the waiver; ! Whenever appropriate, the subjects will be provided with additional pertinent information after participation; 123 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212§164.510(j) (1999) (to be codified at 45 C.F.R. pt. 160-164) (proposed Nov. 3, 1999). 124 See id. 125 See id. 126 See id at §164.510(j)(1). 127 See id at §164.510(j)(1)(i). 128 Id. at §164.510(j)(1)(ii). 129 Id at §164.510(j)(2). CRS-20 ! ! ! ! The research could not practicably be conducted without access to and use of the protected health information; The research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure; There is an adequate plan to protect the identifiers from improper use and disclosure; There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers.130 Finally, the chair of the board, either the IRB or the privacy board, must sign the waiver in order for the waiver to be official.131 Use and disclosure in emergency circumstances (§ 164.510(k)) This section is proposed to complement the sections for disclosure under law enforcement and public health.132 It would apply in circumstances which may not be fully covered under these other sections. Circumstances which may require the use or disclosure of this information are emergency first responders which includes law enforcement personnel, and other emergency response personnel.133 The proposed regulation specifically requires that a covered entity comply with “applicable law and standards of ethical conduct and based on a reasonable belief that the use or disclosure is necessary to prevent or lessen a serious or imminent threat to health or safety of an individual or the public....”134 A covered entity would be permitted to disclose the health information based upon a request from an official with apparent authority.135 The disclosure by the covered entity may be made upon a reasonable belief that the disclosure is one of necessity.136 Disclosure to Next-of-Kin (§ 164.510(l)) The proposed regulation would require health care providers to obtain a verbal agreement from the individual, when that individual has the capacity to make his or her own health decisions, before disclosing protected health information to next-of- 130 See id. at §614.510(j)(3)(i-iv). 131 See id. at §614.510(j)(4). 132 See id. at §614.510(k). 133 See id. at §614.510(k)(1). 134 Id. 135 See id. at §614.510(k)(2). 136 See id. CRS-21 kin, other family members, or to others with whom the individual has a close personal relationship. Where it is impractical or not feasible to obtain verbal agreement, providers could disclose information that is directly relevant to the person’s involvement in the individual’s care, consistent with good professional health practices and ethics.137 Uses and Disclosures for Specialized Classes (§ 164.510(m)) The use and disclosure of individually identifiable health information by a covered entity without the individual’s authorization may also be necessary and permissible in unique situations such as federal programs. The disclosures under this section range from military purposes to Department of State.138 When a health plan or health care provider is requesting information from an appropriate military command authority, it may provide the information on military personnel.139 The Federal Register requires that this proper military authority has complied with the following: (i) Appropriate military command authorities; (ii) The circumstances for which use or disclosure without individual authorization would be required; and (iii) Activities for which such use or disclosure would occur in order to assure proper execution of the military mission.140 The Department of Veterans Affairs may also utilize protected health information.141 They may use it to “determine eligibility for entitlement to” benefits provided by the Veterans Administration.142 Other federal entities which may utilize otherwise protected health information include: the Intelligence Community (see National Security Act, 50 U.S.C. 401(a)), the Department of State (specifically mentioned is the Foreign Service).143 Uses and Disclosures Otherwise Required by Law (§ 164.510(n)) The proposed regulation allows covered entities to use or disclose protected health information if such use or disclosure is not addressed elsewhere in § 164.510 (uses and disclosures for which individual authorization is not required), is required 137 See id. §164.510(l). 138 See id at §614.510(m)(1-4). 139 See id at §164.510(m)(1). 140 See id. 141 See id. at §164.510(m)(2). 142 See id. 143 See id. at §164.510(m)(3-4). CRS-22 by other law, and the disclosure meets all the relevant requirements of the law.144 An example of another law requiring disclosure could be State workers’ compensation laws. This section would permit health care providers to report abuse of any person as required by State law (child abuse or neglect, elder abuse or neglect). HIPAA specifically required that this regulation not interfere with State requirements for reporting abuse.145 In addition, the regulation was designed not to interfere with State requirements that health care providers report gunshot wounds and certain other conditions related to violence. Individual Rights Four basic individual rights would be created: the right to a notice of information practices; the right to obtain access to protected health information about them; the right to obtain access to an accounting of how their protected health information has been disclosed; and the right to request amendment and correction of protected health information. The rights would apply with respect to protected health information held by health care providers and health plans. Clearinghouses would not be subject to all of these requirements because as business partners of covered plans and providers, clearinghouses would not usually initiate or maintain direct relationships with individuals. Written Notice of Information Practices (§ 164.512) HHS proposes that individuals have a right to an adequate notice of the information practices of covered plans and providers. The notice would be intended to inform individuals about what is done with their protected health information and about any rights they may have with respect to that information. Federal agencies must adhere to a similar notice requirement pursuant to the Privacy Act of 1974.146 Notices must include in plain language a statement which describes the uses and disclosures, and the entity’s policies and procedures with respect to such uses and disclosures. The notice must state that other uses and disclosures will be made only with the individual's authorization and that such authorization may be revoked; that an individual may request that certain uses and disclosures of his or her protected health information be restricted, and that the covered entity is not required to agree to such a request; that an individual has the right to request inspection and copying, amendment or correction, and an accounting of the disclosures of her or his protected health information by the covered entity; and that the covered entity is required by law to protect the privacy of individually identifiable health information. Individuals may complain to the covered entity or to the Secretary if they believe their privacy rights have been violated. 144 See id. § 164.510(n). 145 See, Section 1178(b) of HIPAA. 146 5 U.S.C. 552a(e)(3). CRS-23 Access for Inspection and Copying (§ 16.514) The proposed rule provides that an individual has a right of access to, which includes a right to inspect and obtain a copy of, his or her protected health information from a covered entity that is a health plan or a health care provider, including non-duplicative information in a business partner's record, for so long as the information is maintained. The rule also established various grounds upon which a covered entity may deny a request for access. The access procedures must provide a means by which an individual can request inspection or a copy of protected health information about her or him, and provide for action on such requests not later than 30 days following receipt of the request. Where the request is accepted, the covered entity must notify the individual of the decision and of any steps necessary to fulfill the request; provide the information requested in the form or format requested; facilitate the process of inspection and copying; and assess a reasonable, cost-based fee for copying, if desired. Where the request is denied in whole or in part, the covered entity must provide the individual with a written statement in plain language of the basis for the denial, and a description of how the individual may complain to the covered entity or to the Secretary. Accounting of Disclosures (§ 164.15) The proposed rule provides that, subject to certain exceptions, an individual has a right to receive an accounting of all disclosures of protected health information made by a covered entity as long as such information is maintained by the entity. An accounting is not required for disclosures for treatment, payment and health care operations or for disclosures to health oversight or law enforcement agencies, if the health oversight or law enforcement agency has provided a written request stating that the exclusion is necessary because disclosure would be reasonably likely to impede the agency's activities. Amendment and Correction (§ 164.516) The proposed rule provides that an individual has the right to request a health plan or health care provider to amend or correct protected health information about her or him for as long as the covered entity maintains the information. A covered entity may deny a request for amendment or correction, if it determines that the information that is the subject of the request was not created by the covered entity, would not be available for inspection and copying or is accurate and complete. A covered entity that is a health plan or health care provider must have procedures to enable individuals to request amendment or correction, to determine whether the requests should be granted or denied, and to disseminate amendments or corrections to its business partners and others to whom erroneous information has been disclosed. Where the request is denied in whole or in part, the covered entity must provide the individual with a written statement in plain language of the basis for the denial, a description of how the individual may file a written statement of disagreement with the denial; and a description of how the individual may complain to the covered entity or to the Secretary. CRS-24 Costs Section 1172(b) of the HIPAA provides that “(a)ny standard adopted under this part (part C of title XI of the Act) shall be consistent with the objective of reducing the administrative costs of providing and paying for health care.”147 In the Regulatory Impact and Regulatory Flexibility Analysis accompanying the proposed rule, HHS recognized that the proposed privacy standards would entail substantial initial and ongoing administrative costs for entities subject to the rules. However, HHS’ analyses also indicate that the rules should produce administrative and other cost savings that should offset such costs on a national basis. The total cost of development of privacy policies and procedures for providers and plans is estimated to be $395 million over five years. With respect to revisions to electronic data systems, the additional cost of the privacy element would be about $90 million over five years. The development costs for notice of privacy practices is estimated at $30 million over five years. The total five year cost of providing notices to all provider patients and customers would be approximately $209 million. The total cost to plans of providing notices would be $231 million over five years. The cost of inspection and copying is estimated to be $405 million over five years. The total cost of amending and correcting patient records will be $2 billion over five years. Written patient authorizations are estimated to generate costs of approximately $271 million over five years. The estimated total cost of paperwork and training is estimated at $110 million over five years. Overall, the five-year costs, beyond those already included in the administrative simplification estimates, would be about $3.8 billion over five years, with an estimated range of $1.8 to $6.3 billion.148 Preemption (§ 160.203) The general rule is that any standard, requirement, or implementation specification adopted pursuant to subchapter C – Administrative Data Standards and Related Requirements – that is contrary149 to a provision of State law preempts the provision of State law.150 The general rule applies, except where one or more of the following conditions is met: ! A determination is made by the Secretary that the provision of State law is necessary 147 42 U.S.C. § 1320d-1. 148 64 Fed. Reg. at 60014-60018. 149 “Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means: (1) A party would find it impossible to comply with both the State and federal requirements; or (2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of P.L. 104191, as applicable.” 64 Fed. Reg. At 60050. 150 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. At 60051. CRS-25 – to prevent fraud and abuse, to ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery or cost, or for other purposes related to improving the Medicare program, the Medicaid program, or the efficiency and effectiveness of the health care system (§ 160.203(a)(1)); or ! A determination is made by the Secretary that the provision of State law addresses controlled substances (§ 160.203(a)(2); ! The provision of State law – relates to the privacy of health information and is more stringent than a standard, requirement, or implementation requirement adopted under subpart E (Privacy of Individually Identifiable Health Information) (§ 160.203(b)); – or the State established procedures, are established under a State law providing for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention (§ 160.203(c)); – requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure certification (§ 160.203(d)). A State may request that the Secretary except a provision of State law from preemption under section 160.203(a). The State’s request to the Secretary must include the State law for which the exception is requested, an explanation of how health care providers, health plans, and other entities would be affected by the exception, of how long the exception would be in effect, and the reasons why the State law should not be preempted. The Secretary’s determination is to be made on the basis of the extent to which the State has demonstrated that one or more of the preemption exceptions criteria has been met. If the federal requirement accomplishes the purposes of the preemption exception criteria as well as or better than the State law, the request will be denied. An exception granted is effective for three years, and has effect only with respect to transactions taking place wholly within the State for which the exception was requested. Determinations made by the Secretary will be published annually in the Federal Register. The Secretary may, either at the State’s request or at her own initiative, issue advisory opinions as to whether a provision of State law constitutes an exception under section 160.203(b) to the general rule of preemption. The State’s request to the Secretary must include the State law for which the exception is requested, the particular standard for which exception is requested, an explanation of how health care providers, health plans, and other entities would be affected by the exception, of how long the exception would be in effect, and the reasons why the State law should not be preempted. The Secretary’s determination is to be made on the basis of the extent to which the State has demonstrated that the criteria of section 160.203(b) have been met. An exception granted has effect only with respect to transactions CRS-26 taking place wholly within the State for which the exception was requested. Advisory opinions made by the Secretary will be published annually in the Federal Register. Compliance and Enforcement The Secretary is authorized to provide technical assistance to covered entities. An individual may file a compliant with the Secretary if the individual believes that the covered entity is not complying with the rule. Where the complaint relates to the alleged failure of a covered entity to amend or correct protected health information, the Secretary will determine whether the required procedures have been complied with but will not determine whether the information involved is accurate, complete, or whether errors or omissions might have occurred. The Secretary may conduct compliance reviews, and covered entities are required to cooperate with the Secretary in such a review. Covered entities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual for filing a complaint, for testifying, assisting, participating in an investigation, compliance review, proceeding or hearing under this Act, or opposing any act or practice made unlawful. If an investigation or compliance review, proceeding or hearing indicates a failure to comply, the Secretary will resolve the matter by informal means whenever possible. If the matter cannot be resolved informally, the Secretary may issue written findings, and may use the findings as a basis for initiating action under section 1176 of the Act (civil monetary penalties)151 or initiating a criminal referral under section 1177(penalties for disclosing individually identifiable health information).152 Effective Date A covered entity has 24 months following the effective date of the rule to be in compliance, except that small health plans have 36 months to come into compliance. 151 Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. 152 Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is ``under false pretenses,'' a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years. These penalties do not affect any other penalties that may be imposed by other federal programs. EveryCRSReport.com The Congressional Research Service (CRS) is a federal legislative branch agency, housed inside the Library of Congress, charged with providing the United States Congress non-partisan advice on issues that may come before Congress. EveryCRSReport.com republishes CRS reports that are available to all Congressional staff. The reports are not classified, and Members of Congress routinely make individual reports available to the public. Prior to our republication, we redacted names, phone numbers and email addresses of analysts who produced the reports. We also added this page to the report. We have not intentionally made any other changes to any report published on EveryCRSReport.com. CRS reports, as a work of the United States government, are not subject to copyright protection in the United States. Any CRS report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS report may include copyrighted images or material from a third party, you may need to obtain permission of the copyright holder if you wish to copy or otherwise use copyrighted material. Information in a CRS report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to members of Congress in connection with CRS' institutional role. EveryCRSReport.com is not a government website and is not affiliated with CRS. We do not claim copyright on any CRS report we have republished.