HIPAA in Layman's Terms

MedicalTranscription.com

Contact:HHS Press Office
(202) 690-6343

PROTECTING THE PRIVACY OF PATIENTS' HEALTH INFORMATION

Overview: Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. In the past, family doctors and other health care providers protected the confidentiality of those records by sealing them away in file cabinets and refusing to reveal them to anyone else. Today, the use and disclosure of this information is protected by a patchwork of state laws, leaving gaps in the protection of patients' privacy and confidentiality.

Congress recognized the need for national patient record privacy standards in 1996 when they enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The law included provisions designed to save money for health care businesses by encouraging electronic transactions, but it also required new safeguards to protect the security and confidentiality of that information. The law gave Congress until August 21, 1999, to pass comprehensive health privacy legislation. When Congress did not enact such legislation after three years, the law required the Department of Health and Human Services (HHS) to craft such protections by regulation.

In November 1999, HHS published proposed regulations to guarantee patients new rights and protections against the misuse or disclosure of their health records. During an extended comment period, HHS received more than 52,000 communications from the public. In December 2000, HHS issued a final rule that made significant changes in order to address issues raised by the comments. To ensure that the provisions of the final rule would protect patients' privacy without creating unanticipated consequences that might harm patients' access to care or quality of care, HHS Secretary Tommy G. Thompson opened the final rule for comment for 30 days. After that comment period, President Bush and Secretary Thompson allowed the rule to take effect on April 14, 2001, as scheduled, and make appropriate changes during the next year to clarify the requirements and correct potential problems that could threaten access to or quality of care. On July 6, 2001, HHS issued its first set of guidance to answer common questions and clarify confusion about the final rule's provisions.

COMPLIANCE SCHEDULE
The final rule took effect on April 14, 2001. As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the final rule's provisions. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance date.

COVERED ENTITIES
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.

INFORMATION PROTECTED
All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.

CONSUMER CONTROL OVER HEALTH INFORMATION
Under the final rule, patients will have significant new rights to understand and control how their health information is used.

	Patient education on privacy protections. Providers and health plans will be required to give patients a clear written explanation of how the covered entity may use and disclose their health information.
	Ensuring patient access to their medical records. Patients will be able to see and get copies of their records, and request amendments. In addition, a history of non-routine disclosures must be made accessible to patients.
	Receiving patient consent before information is released. Health care providers who see patients will be required to obtain patient consent before sharing their information for treatment, payment, and health care operations. In addition, separate patient authorization must be obtained for non-routine disclosures and most non-health care purposes. Patients will have the right to request restrictions on the uses and disclosures of their information.
	Providing recourse if privacy protections are violated. People will have the right to file a formal complaint with a covered provider or health plan, or with HHS, about violations of the provisions of this rule or the policies and procedures of the covered entity.

BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
With few exceptions, such as appropriate law enforcement needs, an individual's health information may only be used for health purposes.

	Ensuring that health information is not used for non-health purposes. Health information covered by the rule generally may not be used for purposes not related to health care - such as disclosures to employers to make personnel decisions, or to financial institutions - without explicit authorization from the individual.
	Providing the minimum amount of information necessary. In general, disclosures of information will be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the disclosure of medical records for treatment purposes because physicians, specialists, and other providers need access to the full record to provide quality care.

ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
The final rule establishes the privacy safeguard standards that covered entities must meet, but it gives covered entities the flexibility to design their own policies and procedures to meet those standards. The requirements are flexible and scalable to account for the nature of each entity's business, and its size and resources. Covered entities generally will have to:

	Adopt written privacy procedures. These include who has access to protected information, how it will be used within the entity, and when the information may be disclosed. Covered entities will also need to take steps to ensure that their business associates protect the privacy of health information.
	Train employees and designate a privacy officer. Covered entities will need to train their employees in their privacy procedures, and must designate an individual to be responsible for ensuring the procedures are followed.

ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORDS USE AND RELEASE
In HIPAA, Congress provided penalties for covered entities that misuse personal health information.

Civil penalties. Health plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.

Federal criminal penalties. Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

BALANCING PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
In limited circumstances, the final rule permits - but does not require - covered entities to continue certain existing disclosures of health information without individual authorization for specific public responsibilities.

These permitted disclosures include: emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security.

All of these disclosures could occur today under existing laws and regulations, although the privacy rule generally establishes new safeguards and limits. If there is no other law requiring that information be disclosed, covered entities will use their professional judgments to decide whether to disclose any information, reflecting their own policies and ethical principles.

SPECIAL PROTECTION FOR PSYCHOTHERAPY NOTES
Psychotherapy notes (used only by a psychotherapist) are held to a higher standard of protection because they are not part of the medical record and are never intended to be shared with anyone else. All other personal health information is considered to be sensitive and protected consistently under this rule.

EQUIVALENT REQUIREMENTS FOR GOVERNMENT ENTITIES
The provisions of the final rule generally apply equally to private sector and public sector entities. For example, both private hospitals and government medical units have to comply with the full range of requirements, such as providing notice, access rights and requiring consent for routine uses.

COST OF IMPLEMENTATION
The final rule projected the implementation costs at $17.6 billion over 10 years - a figure more than offset by the $29.9 billion in projected savings under the final electronic transactions regulation issued in August 2000.

PRESERVING EXISTING, STRONG STATE CONFIDENTIALITY LAWS
As required by the HIPAA law itself, stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule will set a national "floor" of privacy standards that protect all Americans, but in some states individuals enjoy additional protection. In circumstances where states have decided through law to require certain disclosures of health information, the final rule does not preempt these mandates.

COMPLIANCE AND ENFORCEMENT
The rule will be enforced by the HHS Office for Civil Rights (OCR). On July 6, OCR issued its first set of guidance to answer many common questions about the new patient privacy rule and to clarify some of the confusion regarding the rule's potential impact on health care delivery and access. Before covered entities must comply with the rule, OCR will provide assistance to providers, plans and health clearinghouses in meeting the requirements of the regulation. The initial guidance and other information about the new regulation are available on the Web at http://www.hhs.gov/ocr/hipaa/.

###

From Office for Civil Rights, Dept of Health and Human Services. For full click here

Standards for Privacy of Individually Identifiable Health Information

[45 CFR Parts 160 and 164]

General Overview

The following is an overview that provides answers to general questions regarding the regulation entitled, Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS), and process for modifications to that rule. Detailed guidance on specific requirements in the regulation is presented in subsequent sections, each of which addresses a different standard.

The Privacy Rule provides the first comprehensive federal protection for the privacy of health information. All segments of the health care industry have expressed their support for the objective of enhanced patient privacy in the health care system. At the same time, HHS and most parties agree that privacy protections must not interfere with a patient's access to or the quality of health care delivery.

The guidance provided in this section and those that follow is meant to communicate as clearly as possible the privacy policies contained in the rule. Each section has a short summary of a particular standard in the Privacy Rule, followed by "Frequently Asked Questions" about that provision. In some cases, the guidance identifies areas of the Privacy Rule where a modification or change to the rule is necessary. These areas are summarized below in response to the question "What changes might you make to the final rule?" and discussed in more detail in the subsequent sections of this guidance. We emphasize that this guidance document is only the first of several technical assistance materials that we will issue to provide clarification and help covered entities implement the rule. We anticipate that there will be many questions that will arise on an ongoing basis which we will need to answer in future guidance. In addition, the Department will issue proposed modifications as necessary in one or more rulemakings to ensure that patients' privacy needs are appropriately met. The Department plans to work expeditiously to address these additional questions and propose modifications as necessary.

Frequently Asked Questions

Q: What does this regulation do?

A: The Privacy Rule became effective on April 14, 2001. Most health plans and health care providers that are covered by the new rule must comply with the new requirements by April 2003.

The Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.

It gives patients more control over their health information.

	It sets boundaries on the use and release of health records.
	It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
	It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights.
	And it strikes a balance when public responsibility requires disclosure of some forms of data - for example, to protect public health.

For patients - it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

	It enables patients to find out how their information may be used and what disclosures of their information have been made.
	It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
	It gives patients the right to examine and obtain a copy of their own health records and request corrections.

Q: Why is this regulation needed?

A: In enacting the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress mandated the establishment of standards for the privacy of individually identifiable health information.

When it comes to personal information that moves across hospitals, doctors' offices, insurers or third party payers, and state lines, our country has relied on a patchwork of federal and state laws. Under the current patchwork of laws, personal health information can be distributed - without either notice or consent - for reasons that have nothing to do with a patient's medical treatment or health care reimbursement. Patient information held by a health plan may be passed on to a lender who may then deny the patient's application for a home mortgage or a credit card - or to an employer who may use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will continue to apply over and above the new federal privacy standards.

Health care providers have a strong tradition of safeguarding private health information. But in today's world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the rule provides clear standards for all parties regarding protection of personal health information.

Q: What does this regulation require the average provider or health plan to do?

A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:

	Providing information to patients about their privacy rights and how their information can be used.
	Adopting clear privacy procedures for its practice, hospital, or plan.
	Training employees so that they understand the privacy procedures.
	Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
	Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Responsible health care providers and businesses already take many of the kinds of steps required by the rule to protect patients' privacy. Covered entities of all types and sizes are required to comply with the final Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,

	The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
	The training requirement may be satisfied by a small physician practice's providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
	The policies and procedures of small providers may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

Q. Who must comply with these new privacy standards?

A: As required by Congress in HIPAA, the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards are required to be adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give HHS the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. The "Business Associate" section of this guidance provides a more detailed discussion of the covered entities' responsibilities when they engage others to perform essential functions or services for them.

Q: When will covered entities have to meet these standards?

A: As Congress required in HIPAA, most covered entities have two full years from the date that the regulation took effect - or, until April 14, 2003 - to come into compliance with these standards. Under the law, small health plans will have three full years - or, until April 14, 2004 - to come into compliance.

The HHS Office for Civil Rights (OCR) will provide assistance to help covered entities prepare to comply with the rule. OCR maintains a Web site with information on the new regulation, including guidance for industry, such as these frequently asked questions, at http://www.hhs.gov/ocr/hipaa/.

Q: Do you expect to make any changes to this rule before the compliance date?

A: We can and will issue proposed modifications to correct any unintended negative effects of the Privacy Rule on health care quality or on access to such care.

In February 2001, Secretary Thompson requested public comments on the final rule to help HHS assess the rule's real-world impact in health care delivery. During the 30-day comment period, we received more than 11,000 letters or comments - including some petitions with thousands of names. These comments are helping to guide the Department's efforts to clarify areas of the rule to eliminate uncertainties and to help covered entities begin their implementation efforts.

Q: What changes might you make in the final rule?

A: We continue to review the input received during the recent public comment period to determine what changes are appropriate to ensure that the rule protects patient privacy as intended without harming consumers' access to care or the quality of that care.

Examples of standards in the Privacy Rule for which we will propose changes are:

	Phoned-in Prescriptions - A change will permit pharmacists to fill prescriptions phoned in by a patient's doctor before obtaining the patient's written consent (see the "Consent" section of this guidance for more discussion).
	Referral Appointments - A change will permit direct treatment providers receiving a first time patient referral to schedule appointments, surgery, or other procedures before obtaining the patient's signed consent (see the "Consent" section of this guidance for more discussion).
	Allowable Communications - A change will increase the confidence of covered entities that they are free to engage in whatever communications are required for quick, effective, high quality health care, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care, and using patient names to locate them in waiting areas (see the "Oral Communications" section of this guidance for more discussion).
	Minimum Necessary Scope - A change will increase covered entities' confidence that certain common practices, such as use of sign-up sheets and X-ray lightboards, and maintenance of patient medical charts at bedside, are not prohibited under the rule (see the "Minimum Necessary" section of this guidance for more discussion).

In addition, HHS may reevaluate the Privacy Rule to ensure that parents have appropriate access to information about the health and well-being of their children. This issue is discussed further in the "Parents and Minors" section of this guidance.

Other changes to the Privacy Rule also may be considered as appropriate.

Q: How will you make any changes?

A: Any changes to the final rule must be made in accordance with the Administrative Procedures Act (APA). HHS intends to comply with the APA by publishing its rule changes in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a final rule to implement appropriate modifications.

Congress specifically authorized HHS to make appropriate modifications in the first year after the final rule took effect in order to ensure the rule could be properly implemented in the real world. We are working as quickly as we can to identify where modifications are needed and what corrections need to be made so as to give covered entities as much time as possible to implement the rule. Covered entities can and should begin the process of implementing the privacy standards in order to meet their compliance dates.