NRPM: Standards for Privacy of Individually Identifiable Health Information. D. Baseline Privacy Protections.


Determining the impact of the rule on covered entities requires us to establish a baseline for current privacy policies. We must first determine current practices and requirements related to protected information -- specifically, practices related to disclosure and use, notification of individuals of information practices, inspection and copying, amendment and correction, administrative policies, procedures, and related documentation.

Privacy practices are most often shaped by professional organizations that publish ethical codes of conduct and by State law. On occasion, State laws defer to professional conduct codes. At present, where neither professional organizations nor States have developed guidelines for privacy practices, an entity may implement privacy practices independently.

Professional codes of conduct or ethical behavior generally can be found as opinions and guidelines developed by organizations such as the American Medical Association, the American Hospital Association, and the American Dental Association. These are generally issued though an organization’s governing body. The codes do not have the force of law, but providers often recognize them as binding rules.

State laws are another important means of protecting health information. While professional codes of conduct usually only have slight variations, State laws vary dramatically. Some States defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. In cases where neither State law nor professional ethical standards exist, the only privacy protection individuals have is limited to the policies and standards that the health care entity adopts.

Before we can attempt to determine the impact of the proposed rule on covered entities, we must make an effort to establish the present level of privacy protection. Current privacy protection practices are determined by the standards and practices that the professional associations have adopted for their members and by State laws.