Standards
for Privacy of Individually Identifiable Health Information
A. Statutory Background
Congress recognized the importance of protecting the privacy of
health information given the rapid evolution of health information
systems in the Health Insurance Portability and Accountability Act
of 1996 (HIPAA), Public Law 104-191, which became law on August
21, 1996. HIPAA's Administrative Simplification provisions, sections
261 through 264 of the statute, were designed to improve the efficiency
and effectiveness of the health care system by facilitating the
electronic exchange of information with respect to certain financial
and administrative transactions carried out by health plans, health
care
clearinghouses, and health care providers who transmit information
electronically in connection with such transactions. To implement
these provisions, the statute directed HHS to adopt a suite of uniform,
national standards for transactions, unique health identifiers,
code sets for the data elements of the transactions, security of
health information, and electronic signature.
At the same time, Congress recognized the challenges to the confidentiality
of health information presented by the increasing complexity of
the health care industry, and by advances in the health information
systems technology and communications. Thus, the Administrative
Simplification provisions of HIPAA authorized the Secretary to promulgate
standards for the privacy of individually identifiable health information
if Congress did not enact health care
privacy legislation by August 21, 1999. HIPAA also required the
Secretary of HHS to provide Congress with recommendations for legislating
to protect the confidentiality of health care information. The Secretary
submitted such recommendations to Congress on September 11, 1997,
but Congress did not pass such legislation within its self-imposed
deadline.
With respect to these regulations, HIPAA provided that the standards,
implementation specifications, and requirements established by the
Secretary not supersede any contrary State law that imposes more
stringent privacy protections. Additionally, Congress required that
HHS consult with the National Committee on Vital and Health Statistics,
a Federal advisory committee established pursuant to section 306(k)
of the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney
General in the development of HIPAA privacy standards.
After a set of HIPAA Administrative Simplification standards is
adopted by the Department, HIPAA provides HHS with authority to
modify the standards as deemed appropriate, but not more frequently
than once every 12 months. However, modifications are permitted
during the first year after adoption of the standards if the changes
are necessary to permit compliance with the standards. HIPAA also
provides that compliance with modifications to standards or implementation
specifications must be accomplished by a date designated by the
Secretary, which may not be earlier than 180 days after the adoption
of the modification.
B. Regulatory and Other Actions to Date
HHS published a proposed Rule setting forth privacy standards for
individually identifiable health information on November 3, 1999
(64 FR 59918). The Department received more than 52,000 public comments
in response to the proposal. After reviewing and considering the
public comments, HHS issued a final Rule (65 FR 82462) on December
28, 2000, establishing "Standards for Privacy of Individually Identifiable
Health Information" ("Privacy Rule").
In an era where consumers are increasingly concerned about the privacy
of their personal information, the Privacy Rule creates, for the
first time, a floor of national protections for the privacy of their
most sensitive information--health information. Congress has passed
other laws to protect consumers' personal information contained
in bank, credit card, other financial records, and even video rentals.
These health privacy protections are intended to provide consumers
with similar assurances that their health information, including
genetic information, will be properly protected. Under the Privacy
Rule, health plans, health care clearinghouses, and certain health
care providers must guard against misuse of individuals' identifiable
health information and limit the sharing of such information, and
consumers are afforded significant new rights to enable them to
understand and control how their health information is used and
disclosed.
After publication of the Privacy Rule, HHS received many inquiries
and unsolicited comments through telephone calls, e-mails, letters,
and other contacts about the impact and operation of the Privacy
Rule on numerous sectors of the health care industry. Many of these
commenters exhibited substantial confusion and misunderstanding
about how the Privacy Rule will operate; others expressed great
concern over the complexity of the Privacy Rule. In
response to these communications and to ensure that the provisions
of the Privacy Rule would protect patients' privacy without creating
unanticipated consequences that might harm patients' access to health
care or quality of health care, the Secretary of HHS opened the
Privacy Rule for additional public comment in March 2001 (66 FR
12738).
After an expedited review of the comments by the Department, the
Secretary decided that it was appropriate for the Privacy Rule to
become effective on April 14, 2001, as scheduled (65 FR 12433).
At the same time, the Secretary directed the Department immediately
to begin the process of developing guidelines on how the Privacy
Rule should be implemented and to clarify the impact of the Privacy
Rule on health care activities. In addition, the Secretary charged
the Department with proposing appropriate changes to the Privacy
Rule during the next year to clarify the requirements and correct
potential problems that could threaten access to, or quality of,
health care. The comments received during the comment period, as
well as other communications from the public and all sectors of
the health care industry, including letters, testimony at public
hearings, and meetings requested by these parties, have helped to
inform the Department's efforts to develop proposed modifications
and guidance on the Privacy Rule.
On July 6, 2001, the Department issued its first guidance to answer
common questions and clarify certain of the Privacy Rule's provisions.
In the guidance, the Department also committed to proposing modifications
to the Privacy Rule to address problems arising from unintended
effects of the Privacy Rule on health care delivery and access.
The guidance will soon be updated to reflect the modifications adopted
in this final Rule. The revised guidance will be available on the
HHS Office for Civil Rights (OCR) Privacy Web site at http://www.hhs.gov/ocr/hipaa/.
In addition, the National Committee for Vital and Health Statistics
(NCVHS), Subcommittee on Privacy and Confidentiality,
held public hearings on the implementation of the Privacy
Rule on August 21-23, 2001, and January 24-25, 2002,
and provided recommendations to the Department based
on these hearings. The NCVHS serves as the statutory
advisory body to the Secretary of HHS with respect to
the development and implementation of the Rules required
by the Administrative Simplification provisions of HIPAA,
including the privacy standards. Through the hearings,
the NCVHS specifically solicited public input on issues
related to certain key standards in the Privacy Rule:
consent, minimum necessary, marketing, fundraising,
and research. The resultant public testimony and subsequent
recommendations submitted to the Department by the NCVHS
also served to inform the development of these
proposed modifications.
|
