NRPM: Standards for Privacy of Individually Identifiable Health Information. E. Summary and purpose of the proposed rule.


The following outlines the provisions and operations of this proposed rule and is intended to provide a framework for the following preamble. A more detailed discussion of the authority, rationale, and implementation can be found in Section II of the preamble, Provisions of the Proposed Rule.

As described in more detail in preamble section I.B, above, the HIPAA requires the Secretary of HHS to promulgate a series of standards relating to the electronic exchange of health information. Collectively these are known as the Administrative Simplification provisions. In addition to those standards, the Secretary was required to develop and submit to the Congress recommendations for the privacy rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized.

On September 11, 1997, the Secretary presented to the Congress her Recommendations for protecting the “Confidentiality of Individually-Identifiable Health Information” (the “Recommendations”), as required by section 264 (a) of HIPAA. In those Recommendations, the Secretary called for new federal legislation to create a national floor of standards that provide fundamental privacy rights for patients, and that define responsibilities for those who use and disclose identifiable health information.

The Recommendations elaborated on the components that should be included in privacy legislation. These components included new restrictions on the use and disclosure of health information, the establishment of new consumer rights, penalties for misuse of information, and redress for those harmed by misuse of their information. The Recommendations served, to the extent possible under the HIPAA legislative authority, as a template for the rules proposed below. They are available on the HHS website at

The Secretary’s Recommendations set forth the a framework for federal privacy legislation. Such legislation should:

  • Allow for the smooth flow of identifiable health information for treatment, payment, and related operations, and for specified additional purposes related to health care that are in the public interest.
  • Prohibit the flow of identifiable information for any additional purposes, unless specifically and voluntarily authorized by the subject of the information.
  • Put in place a set of fair information practices that allow individuals to know who is using their health information, and how it is being used.
  • Establish fair information practices that allow individuals to obtain access to their records and request amendment of inaccurate information.
  • Require persons who hold identifiable health information to safeguard that information from inappropriate use or disclosure.
  • Hold those who use individually identifiable health information accountable for their handling of this information, and to provide legal recourse to persons harmed by misuse.

We believed then, and still believe, that there is an urgent need for legislation to establish comprehensive privacy standards for all those who pay and provide for health care, and those who receive information from them.

This proposed rule implements many of the policies set forth in the Recommendations. However, the HIPAA legislative authority is more limited in scope than the federal statute we recommend, and does not always permit us to propose the policies that we believe are optimal. Our major concerns with the scope of the HIPAA authority include the limited number of entities to whom the proposed rule would be applicable, and the absence of strong enforcement provisions and a private right of action for individuals whose privacy rights are violated.

The Recommendations call for legislation that applies to health care providers and payers who obtain identifiable health information from individuals and, significantly, to those who receive such information from providers and payers. The Recommendations follow health information from initial creation by a health plan or health care provider, through various uses and disclosures, and would establish protections at each step: “We recommend that everyone in this chain of information handling be covered by the same rules.” However, the HIPAA limits the application of our proposed rule to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the “covered entities”). Unfortunately, this leaves many entities that receive, use and disclose protected health information outside of the system of protection that we propose to create.

In particular, the proposed regulation does not directly cover many of the persons who obtain identifiable health information from the covered entities. In this proposed rule we are, therefore, faced with creating new regulatory permissions for covered entities to disclose health information, but cannot directly put in place appropriate restrictions on how many likely recipients of such information may use and re-disclose such information. For example, the Secretary’s Recommendations proposed that protected health information obtained by researchers not be further disclosed except for emergency circumstances, for a research project that meets certain conditions, and for oversight of research. In this proposed rule, however, we cannot impose such restrictions. Additional examples of persons who receive this information include workers compensation carriers, researchers, life insurance issuers, employers and marketing firms. We also do not have the authority to directly regulate many of the persons that covered entities hire to perform administrative, legal, accounting, and similar services on their behalf, and who would obtain health information in order to perform their duties. This inability to directly address the information practices of these groups leaves an important gap in the protections provided by the proposed rule.

In addition, only those providers who engage in the electronic administrative simplification transactions can be covered by this rule. Any provider who maintains a solely paper information system would not be subject to these privacy standards, thus leaving another gap in the system of protection we propose to create.

The need to match a regulation limited to a narrow range of covered entities with the reality of information sharing among a wide range of entities leads us to consider limiting the type or scope of the disclosures permitted under this regulation. The disclosures we propose to allow in this rule are, however, necessary for smooth operation of the health care system and for promoting key public goals such as research, public health, and law enforcement. Any limitation on such disclosures could do more harm than good.

Requirements to protect individually identifiable health information must be supported by real and significant penalties for violations. We recommend federal legislation that would include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. We believe there should be criminal penalties (including fines and imprisonment) for obtaining health information under false pretenses, and for knowingly disclosing or using protected health information in violation of the federal privacy law. We also believe that there should be civil monetary penalties for other violations of the law and that any individual whose rights under the law have been violated, whether negligently or knowingly, should be permitted to bring an action for actual damages and equitable relief. Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously.

In HIPAA, Congress did not provide such enforcement authority. There is no private right of action for individuals to enforce their rights, and we are concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain individuals’ trust in the system. For these and other reasons, we continue to call for federal legislation to ensure that privacy protection for health information will be strong and comprehensive.