U.S. DEPARTMENT OF HEALTH & HUMAN SERVICES
Proposed Standards for Privacy of Individually
Identifiable Health Information
Section 264 of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA), Public Law 104-191, enacted August 21, 1996, requires
that, if legislation establishing privacy standards is not enacted by
the date that is 36 months after the date of the enactment of this Act,
the Secretary of Health and Human Services shall promulgate final
regulations containing such standards not later than the date that is 42
months after the date of the enactment of this Act.
The statutory deadline for Congress to enact legislation was August 21,
1999. Absent legislation, HHS has developed its proposed rule.
The proposed rule would:
- allow health information to be used and shared easily for the
treatment and for payment of health care;
- allow health information to be disclosed without an individuals
authorization for certain national priority purposes (such as research,
public health and oversight), but only under defined circumstances;
- require written authorization for use and disclosure of health
information for other purposes, and
- create a set of fair information practices to inform people of how
their information is used and disclosed, ensure that they have access to
information about them, and require health plans and providers to
maintain administrative and physical safeguards to protect the
confidentiality of health information and protect against unauthorized
a. Entities covered by the proposed rule
- Health care providers who transmit health information electronically
- Health plans
- Health care clearinghouses
b. Health information covered by the proposed rule (Protected
- Protection would start when information becomes electronic, and would
stay with the information as long as the information is in the hands of
a covered entity.
- Information becomes electronic either by being sent
electronically as one of the specified Administrative Simplification
transactions or by being maintained in a computer system.
- The paper progeny of electronic information is covered; the
information would not lose its protections simply because it is
printed out of the computer.
- HIPAA protects the information itself, not the record in which
the information appears.
- The information must be identifiable. If the information
has any components that could be used to identify the subject, it would
We propose that covered entities be prohibited from using or disclosing
health information except: as authorized by the patient, or as explicitly
permitted by the regulation. The regulation would permit use and
disclosure of health information without authorization for purposes of
health care treatment, payment and operations, and for specified national
policy activities under conditions tailored for each type of such
permitted use or disclosure.
- The amount of information to be used or disclosed would be restricted
to the minimum amount necessary to accomplish the relevant purpose,
taking into consideration practical and technological limitations.
- There would be exceptions for situations in which assessment of
what is minimally necessary is appropriately made by someone other
than the covered entity (e.g., such as when an individual authorizes
a use or disclosure of information, or when the disclosure is
mandatory under another law).
- We would allow covered entities to rely on requests by certain
public agencies in determining the minimum necessary information for
- Under the principle of minimum necessary use, if an entity
consists of several different components, the entity would be
required to create barriers between components so that information
is not used or shared inappropriately.
- To encourage covered entities to strip identifiers from health
information when it is possible to do so, we would permitted a covered
entity to use and disclose such de- identified information in any way,
- it does not disclose the key or other mechanism that would enable
the information to be re-identified, and
- it has no reason to believe that such use or disclosure will
result in the use or disclosure of protected health information
(e.g., because the recipient has the means to re-identify the
- We would treat the key to coded identifiers the same as the
information to which it pertains. A covered entity could use or disclose
a key only as it could use or disclose the underlying information.
- We would permit covered entities to disclose protected health
information to persons they hire to perform functions on their behalf,
where such information is needed for that function. These ?business
partners would include contractors such as lawyers, auditors,
consultants, health care clearinghouses, and billing firms, but not
members of the covered entitys workforce.
- Except where the business partner is providing a treatment
consultation or referral, we would require covered entities to enter
into contracts with their business partners and would require the
contracts to include terms to ensure that the protected health
information disclosed to a business partner remains confidential.
Business partners would not be permitted to use or disclose protected
health information in ways that would not be permitted of the covered
entity itself. We use the contract as a tool for protecting information,
because the HIPAA does not provide legislative authority for the rule to
reach many such business partners directly.
- The uses and disclosures permitted by this rule would be exactly
that -- permitted, not required. For disclosures not compelled by other
law, providers and payers would be free to disclose or not, according to
their own policies and principles. At the same time, nothing in this
rule would provide authority for a covered entity to refuse to make a
disclosure mandated by other law.
- Only two disclosures would be required by this proposed rule:
disclosure to the subject individual pursuant to the individuals
request to inspect and copy health information about him or her, and
certain disclosures for the purposes of enforcing the rule.
- Health information covered by the proposed rule generally would
remain protected for two years after the death of the subject of the
information, subject to certain exceptions.
Disclosures without authorization for health care treatment, payment,
- Covered entities could use and disclose protected health information
without authorization for treatment, payment and health care operations.
This would include purposes such as quality assurance, utilization
review, credentialing, and other activities that are part of ensuring
appropriate treatment and payment.
- Individuals generally could ask a covered entity to restrict further
use and disclosure of protected health information for treatment,
payment, or health care operations, with the exception of uses or
disclosures required by law. The covered entity would not be required to
agree to such a request, but if the covered entity and the individual
agree to a restriction, the covered entity would be bound by the
Uses and disclosures with individual authorization
- Covered entities could use or disclose protected health information
with the individuals authorization for almost any lawful purpose.
- We would prohibit covered entities from conditioning treatment or
payment on the individual agreeing to disclose information for other
purposes, and require the authorization form to state this prohibition.
- While the provisions of this proposed rule are intended to make
authorizations for treatment and payment purposes unnecessary, some
States may continue to require them. Generally, this rule would not
supersede such State requirements. However:
- the rule would impose a new requirement that such State-mandated
authorizations must be physically separate from an authorization for
other purposes described in this rule.
- the authorization would have to meet the rules requirements
for the content of such authorizations (although a state law could
require that an authorization contain additional provisions).
- We would require authorizations to specify the information to be
disclosed, who would get the information, and when the authorization
would expire. If an authorization is sought so that a covered entity may
sell or barter the information, the covered entity would have to
disclose this fact on the authorization form.
- Use or disclosure of information by the covered entity inconsistent
with the authorization would be unlawful.
- Individuals could revoke an authorization.
Permissible uses and disclosures for purposes other than treatment,
payment and operations
- Covered entities could use and disclose protected health information
without individual authorization for the following national priority
- Oversight of the health care system, including quality assurance
- Public health, and in emergencies affecting life or safety;
- Judicial and administrative proceedings;
- Law enforcement;
- To provide information to next-of-kin;
- For identification of the body of a deceased person, or the cause
- For government health data systems;
- For facilities (hospitals, etc.) directories;
- To financial institutions, for processing payments for health
- In other situations where the use of disclosure is mandated by
other, consistent with the requirements of the other law.
- Specific conditions would have to be met in order for the use or
disclosure of protected health information to be permitted. These
conditions are tailored to the need for each specific category listed
above and to the types of organizations involved in such activities.
The proposed rule would provide several basic rights for individuals
with respect to protected health information about them. Individuals would
- The right to receive a written notice of information practices from
health plans and providers. The notice must describe the types of uses
and disclosures that the plan or provider would make with health
information (not just those uses and disclosures that could lawfully be
made). When plans and providers change their information practices, they
would also have to update the notice. Plans and providers would be
required to follow the information practices specified in their most
- The right to obtain access to protected health information about
them, including a right to inspect and obtain a copy of the information.
- The right to request amendment or correction of protected health
information that is inaccurate or incomplete.
- The right to receive an accounting of the instances where protected
health information about them has been disclosed by a covered entity for
purposes other than treatment, payment, or health care operations
(subject to certain time-limited exceptions for disclosures to law
enforcement and oversight agencies).
Administrative requirements and policy development and documentation
This proposed rule would require providers and payers to develop and
implement basic administrative procedures to protect health information
and the rights of individuals with respect to that information.
- Covered entities would be required to maintain documentation of
their policies and procedures for complying with the requirements of the
proposed rule. The documentation must include a statement of the entitys
practices regarding who would have access to protected health
information, how that information would be used within the entity, and
when that information would or would not be disclosed to other entities.
- Covered entities would be required to have in place administrative
systems, appropriate to the nature and scope of their business, that
enable them to protect health information in accordance with this rule.
Specifically, covered entities would be required to:
- designate a privacy official;
- provide privacy training to members of its workforce;
- implement safeguards to protect health information from
intentional or accidental misuse;
- provide a means for individuals to lodge complaints about the
entitys information practices, and maintain a record of any
- develop a system of sanctions for members of the workforce and
business partners who violate the entitys policies.
We propose privacy standards that covered entities must meet, but leave
the detailed policies and procedures for meeting these standards to the
discretion of each covered entity.
- We intend that implementation of these standards be flexible and
scalable, to account for nature of each covered entitys business,
and the covered entitys size and resources. We would require that
each covered entity assess its own needs and implement privacy policies
appropriate to its information practices and business requirements.
- The preamble to the proposed rule will include examples of how
implementation of these standards are scalable.
Pursuant to HIPAA, this rule will preempt state laws that are in
conflict with the regulatory requirements and that provide less stringent
privacy protections, with specified exceptions for certain public health
functions and related activities.
- Under HIPAA, the Secretary is granted the authority to impose civil
monetary penalties against those covered entities which fail to comply
with the requirements of this regulation.
- HIPAA also established criminal penalties for certain wrongful
disclosures of protected health information. These penalties are
graduated, increasing if the offense is committed under false pretenses,
or with intent to sell the information or reap other personal gain.
- Civil monetary penalties are capped at $25,000 for each calendar
year for each standard that is violated.
What this proposed rule does not do
- The HIPAA limits the application of our proposed rule to the covered
entities. It does not provide the authority for the rule to reach many
entities that receive health information from these covered entities, so
the rule cannot put in place appropriate restrictions on how such
recipients of protected health information may use and re-disclose such
- Any provider who maintains a solely paper information system cannot
be subject to these privacy standards.
- There is no statutory authority for a private right of action for
individuals to enforce their privacy rights.