Standards for Privacy of Individually Identifiable Health Information

Guidance issued July 6, 2001

Restrictions on Government Access to Health Information

[45 CFR §§ 160.300; 164.512(b); 164.512(f)]

Background

Under the Privacy Rule, government-operated health plans and health care providers must meet substantially the same requirements as private ones for protecting the privacy of individual identifiable health information. For instance, government-run health plans, such as Medicare and Medicaid, must take virtually the same steps to protect the claims and health information that they receive from beneficiaries as private insurance plans or health maintenance organizations (HMO). In addition, all federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens - including any personal health information - can be shared with other agencies and with the public.

The only new authority for government involves enforcement of the Privacy Rule itself. In order to ensure covered entities protect patients' privacy as required, the rule provides that health plans, hospitals, and other covered entities cooperate with the Department's efforts to investigate complaints or otherwise ensure compliance. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the privacy protections and access rights for consumers under this rule.