I. Background

A. Need for privacy standards.

B. Statutory background.

C. Administrative costs.

D. Consultations.

E. Summary and purpose of the proposed rule.

  1. Applicability.
  2. General rules.
  3. Scalability.
  4. Uses and disclosures with individual authorization.
  5. Uses and disclosures for treatment, payment and health care operations.
  6. Permissible uses and disclosures for purposes other than treatment, payment and health care operations.
  7. Individual rights.
  8. Administrative requirements and policy development and documentation.
  9. Preemption.
  10. Enforcement.
  11. Conclusion.

II. Provisions of the proposed rule.

A. Applicability.

  1. Covered entities.
  2. Covered information.
  3. Interaction with other standards.
  4. References to other laws.

B. Definitions.

  1. Act.
  2. Covered entity.
  3. Health care.
  4. Health care clearinghouse.
  5. Health care provider.
  6. Health information.
  7. Health plan.
  8. Secretary.
  9. Small health plan.
  10. Standard.
  11. State.
  12. Transaction.
  13. Business partner.
  14. Designated record set.
  15. Disclosure.
  16. Health care operations.
  17. Health oversight agency.
  18. Individual.
  19. Individually identifiable health information.
  20. Law enforcement official.
  21. Payment.
  22. Protected health information.
  23. Psychotherapy notes.
  24. Public health authority.
  25. Research.
  26. Research information unrelated to treatment.
  27. Treatment.
  28. Use.
  29. Workforce.

C. General rules.

  1. Use and disclosure for treatment, payment, and health care operations.
  2. Minimum necessary use and disclosure.
  3. Right to restrict uses and disclosures.
  4. Creation of de-identified information.
  5. Application to business partners.
  6. Application to information about deceased persons.
  7. Adherence to the notice of information practices.
  8. Application to covered entities that are components of organizations that are not covered entities

D. Uses and disclosures with individual authorization.

  1. Requirements when the individual has initiated the authorization.
  2. Requirements when the covered entity initiates the authorization.
  3. Model forms.
  4. Plain language requirement.
  5. Prohibition on conditioning treatment or payment.
  6. Inclusion in the accounting for uses and disclosures.
  7. Revocation of an authorization by the individual.
  8. Expired, deficient, or false authorization.

E. Uses and disclosures permitted without individual authorization.

  1. Uses and disclosures for public health activities.
  2. Use and disclosure for health oversight activities.
  3. Use and disclosure for judicial and administrative proceedings.
  4. Disclosure to coroners and medical examiners.
  5. Disclosure for law enforcement.
  6. Uses and Disclosure for governmental health data systems.
  7. Disclosure of directory information.
  8. Disclosure for banking and payment processes.
  9. Uses and disclosures for research.
  10. Uses and Disclosures in emergency circumstances.
  11. Disclosure to next-of-kin.
  12. Additional uses and disclosures required by other law.
  13. Application to specialized classes.

F. Rights of individuals.

  1. Rights and procedures for a written notice of information practices.
  2. Rights and procedures for access for inspection and copying.
  3. Rights and procedures with respect to an accounting of disclosures.
  4. Rights and procedures for amendment and correction.

G. Administrative requirements.

  1. Designation of a privacy official.
  2. Training.
  3. Safeguards.
  4. Internal complaint process.
  5. Sanctions.
  6. Duty to mitigate.

H. Development and documentation of policies and procedures.

  1. Uses and disclosures of protected health information.
  2. Individual requests for restricting uses and disclosures.
  3. Notice of information practices.
  4. Inspection and copying.
  5. Amendment or correction.
  6. Accounting for disclosures.
  7. Administrative requirements.
  8. Record keeping requirements.

I. Relationship to other laws

  1. Relationship to State laws.
  2. Relationship to other federal laws.

J. Compliance and Enforcement.

  1. Compliance
  2. Enforcement.

III. Small Business Assistance

  1. Notice to individuals of information practices.
  2. Access of individuals to protected health information.
  3. Accounting for uses and disclosures.
  4. Amendment and correction.
  5. Designated Privacy official.
  6. Training.
  7. Safeguards.
  8. Complaints.
  9. Sanctions.
  10. Documentation of policies and procedures.
  11. Minimum Necessary.
  12. Business partners.
  13. Special disclosures that do not require authorization – public health, research, etc.
  14. Verification.

IV. Preliminary Regulatory Impact Analysis

A. Relationship of this Analysis to Analyses in Other HIPAA Regulations.

B. Summary of Costs and Benefits.

C. Need for the Proposed Action.

D. Baseline Privacy Protections.

  1. Professional Codes of Conduct and the Protection of Health Information.
  2. State Laws.
  3. Federal Laws.

E. Costs.

F. Benefits.

G. Examination of Alternative Approaches.

  1. Creation of de-identified information.
  2. General rules.
  3. Use and disclosure for treatment, payment, and health care operations.
  4. Minimum necessary use and disclosure.
  5. Right to restrict uses and disclosures.
  6. Application to business partners.
  7. Application to information about deceased persons.
  8. Uses and disclosures with individual authorization.
  9. Uses and disclosures permitted without individual authorization.
  10. Clearinghouses and the rights of individuals.
  11. Rights and procedures for a written notice of information practices.
  12. Rights and procedures for access for inspection and copying.
  13. Rights and procedures with respect to an accounting of disclosures.
  14. Rights and procedures for amendment and correction.
  15. Administrative requirements.
  16. Development and documentation of policies and procedures.
  17. Compliance and Enforcement.

V. Initial Regulatory Flexibility Analysis

A. Introduction.

B. Economic Effects on Small Entities

  1. Number and Types of Small Entities Affected.
  2. Activities and Costs Associated with Compliance.
  3. The burden on a typical small business.

VI. Unfunded Mandates

A. Future Costs.

B. Particular regions, communities, or industrial sectors.

C. National productivity and economic growth.

D. Full employment and job creation.

E. Exports.

VII. Environmental Impact

VIII. Collection of Information Requirements

IX. Executive Order 12612: Federalism

X. Executive Order 13086: Consultation and Coordination with Indian Tribal Governments

List of Subjects in 45 CFR Parts 160 and 164.

Appendix: Sample Provider Notice of Information Practices