This rule establishes national minimum standards to protect the privacy of individually identifiable health information in prescribed settings. The standards address the many varied uses and disclosures of individually identifiable health information by health plans, certain health care providers and health care clearinghouses. The complexity of the standards reflects the complexity of the health care marketplace to which they apply and the variety of subjects that must be addressed. The rule applies not only to the core health care functions relating to treating patients and reimbursing health care providers, but also to activities that range from when individually identifiable health information should be available for research without authorization to whether a health care provider may release protected health information about a patient for law enforcement purposes. The number of discrete provisions, and the number of commenters requesting that the rule recognize particular activities, is evidence of the significant role that individually identifiable health information plays in many vital public and private concerns.
At the same time, the large number of comments from individuals and groups representing individuals demonstrate the deep public concern about the need to protect the privacy of individually identifiable health information. The discussion above is rich with evidence about the importance of protecting privacy and the potential adverse consequences to individuals and their health if such protections are not extended.
The need to balance these competing interests - the necessity of protecting privacy and the public interest in using identifiable health information for vital public and private purposes - in a way that is also workable for the varied stakeholders causes much of the complexity in the rule. Achieving workability without sacrificing protection means some level of complexity, because the rule must track current practices and current practices are complex. We believe that the complexity entailed in reflecting those practices is better public policy than a perhaps simpler rule that disturbed important information flows.
Although the rule taken as a whole is complicated, we believe that the standards are much less complex as they apply to particular actors. What a health plan or covered health care provider must do to comply with the rule is clear, and the two-year delayed implementation provides a substantial period for trade and professional associations, working with their members, to assess the effects of the standards and develop policies and procedures to come into compliance with them. For individuals, the system may look substantially more complicated because, for the first time, we are ensuring that individuals will receive detailed information about how their individually identifiable health information may be used and disclosed. We also provide individuals with additional tools to exercise some control over those uses and disclosures. The additional complexity for individuals is the price of expanding their understanding and their rights.
The Department will work actively with members of the health care industry, representatives of individuals and others during the implementation of this rule. As stated elsewhere, our focus is to develop broader understanding of how the standards work and to facilitate compliance. We intend to provide guidance and check lists as appropriate, particularly to small businesses affected by the rule. We also will work with trade and professional associations to develop guidance and provide technical assistance so that they can help their members understand and comply with these new standards. If this effort is to succeed, the various public and private participants inside and outside of the health care system will need to work together to assure that the competing interests described above remain in balance and that an ethic that recognizes their importance is established.