HIPAA STATUTORY BACKGROUND
(This text is excerpted from Federal Register/Vol.
67, No 157/8-14-02/Rules & Regulations)
Congress recognized the importance of protecting
the privacy of health information given the rapid evolution
of health information systems in the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), Public Law 104-191,
which became law on August 21, 1996. HIPAA’s Administrative
Simplification provisions, sections 261 through 264 of the
statute, were designed to improve the efficiency and effectiveness
of the health care system by facilitating the electronic exchange
of information with respect to certain financial and administrative
transactions carried out by health plans, health care clearinghouses
and health care providers who transmit information electronically
in connection with such transactions. To implement these provisions,
the statute directed Health and Human Services (HHS) to adopt
a suite of uniform, national standards for transactions, unique
health identifiers, code sets for the data elements of the
transactions, security of health information and electronic
At the same time, Congress recognized the challenges
to the confidentiality of health information presented by
the increasing complexity of the health care industry, and
by advances in the health information systems technology and
communications. Thus the Administrative Simplification provisions
of HIPAA authorized the Secretary to promulgate standards
for the privacy of individually identifiable health information.
With respect to these regulations, HIPAA provided
that the standards, implementation specifications, and requirements
established by the Secretary not supersede any contrary State
law that imposes more stringent privacy protections.
HHS published a proposed Rule setting forth privacy
standards for individually identifiable health information
on November 3, 1999. After reviewing and considering public
comments, HHS issued a final Rule on December 28, 2000 establishing
“Standards for Privacy of Individually Identifiable
Health Information” (“Privacy Rule”).
The Privacy Rule creates for the first time a
floor of national protections for the privacy of their (consumers)
most sensitive information - health information. Congress
has passed other laws to protect consumers’ personal
information contained in bank, credit card and other financial
records and even video rentals. These health privacy protections
are intended to provide consumers with similar assurance that
their health information, including genetic information will
be properly protected. Under the Privacy Rule, health plans,
health care clearinghouses, and certain health care providers
must guard against misuse of individuals’ identifiable
health information and limit the sharing of such information
The compliance date of the Privacy Rule for
most covered entities is April 14, 2003.
Section 164.502 – Uses and Disclosures
of Protected Health Information
General Rules (Excerpted from
Federal Register/Vol. 67, No 157/8-14-02/Rules & Regulations)
The December 2000 Privacy Rule generally requires
that covered entities make reasonable efforts to limit the
use or disclosure of, and requests for, protected health information
to the minimum necessary to accomplish the intended purpose.
The Privacy Rule requires covered entities to implement the
appropriate administrative, technical, and physical safeguards
to reasonably safeguard protected health information (PHI)
from any intentional or unintentional use or disclosure that
violates the Rule.
Protected Health Information includes individually
identifiable health information in any form, including information
transmitted orally, or in written or electronic form.
The Department clarified that the Privacy Rule
is not intended to impede customary and necessary health care
communications or practices, nor to require that all risk
of incidental use or disclosure be eliminated to satisfy the
The Department continues to believe, as was stated
in the proposed Rule, that so long as reasonable safeguards
are employed, the burden of impeding such communications is
not outweighed by any benefits that may accrue to the individuals’
However, an incidental use or disclosure that
occurs as a result of a failure to apply reasonable safeguards
or the minimum necessary standard, where required, is not
a permissible use or disclosure and, therefore, is a violation
of the Privacy Rule.
The Department expects that incidental uses
and disclosure will occur and permits such uses and disclosure
to the extent that the covered entity has in place reasonable
safeguards and has applied the minimum necessary standard.
Each covered entity should assess the nature
of the protected health information it “holds”
and the nature and scope of its business, and implement safeguards
that are reasonable for its particular circumstances.”
This means that covered entities must
show proof that they have undertaken an appropriate course
of action to protect the PHI of consumers.
HHS has been requested to provide additional
definition for what would constitute “reasonable safeguards’
and has stated that in the Federal Register that “reasonable
safeguards and minimum necessary standards are flexible and
adaptable to the specific business needs and circumstances
of the covered entity. Given the discretion covered entities
have in implementing these standards it is difficult for the
Department to provide specific guidance in this area that
would be generally applicable to many covered entities. The
minimum necessary standard is intended to make covered entities
evaluate their practices and enhance protection as needed
to limit unnecessary or inappropriate access to and disclosures
of, protected health information.
The Privacy Rule sets forth requirements
for implementing the minimum necessary standard with regard
to a covered entity's uses, disclosures, and requests. A covered
entity is required to develop and implement policies and procedures
appropriate to the entity’s business practices and workforce
that reasonably minimize the amount of protected health information
used, disclosed, and requested.
The minimum necessary standard is an appropriate standard
for uses and disclosures and is not merely an administrative
requirement. The Privacy Rule provides adequate flexibility
to adopt minimum necessary policies and procedures that are
workable for the covered entity, thereby minimizing a covered
entity’s liability concerns.
Compliance and Enforcement
(Excerpted from Office of Civil Rights/Standards
for Privacy of Individually Identifiable Health Information
Regulation Text, August 14, 2002)
HHS may conduct compliance reviews to determine
whether covered entities are complying with the applicable
standards, requirements and implementation specifications.
A covered entity must keep records and compliance
reports and submit such documentation in an effort to enable
the HHS to ascertain whether the covered entity has complied
or is complying with the applicable requirements, standards,
and implementation specifications.
If an investigation or a compliance review
indicates a failure to comply the HHS will inform the covered
entity and if the matter arose from a complaint, the complainant,
in writing and attempt to resolve the matter by informal means
when possible. If HHS finds the covered entity is not in compliance
and determines that the matter cannot be resolved by informal
means the HHS may issue to the covered entity, and if the
matter arose from a complaint, to the complainant written
findings documenting the non-compliance.
Penalties for non-compliance may include but are not limited
A. Civil Penalties: $100 per violation up
to $25,000 per year for same violation
B. Criminal Penalties for knowing misuse
of information $50,000 and/or 1 year in prison; misuse under
false pretenses $100,000 and/or 5 years in prison; profiting
from release of information $250,000 and/or 10 years in prison
This law does not give individuals a private cause of action.
However, citizens can file complaints with HHS that can result
in administrative penalties as indicated above.
The compliance deadline for the initial implementation of
the privacy standards for health care providers, health plans
(other than small health plans), and health care clearinghouses
is April 14, 2003.
Thereafter, HIPAA provides the HHS with the authority to modify
the standards as deemed appropriate, but not more frequently
than once every 12 months.
FOR SUPPLEMENTARY INFORMATION
For additional information you may access the Federal Register
document on HIPAA in its entirety at the HHS Office for Civil
Rights (OCR) Privacy Web site at www.hhs.gov/ocr/hipaa/
You may also order copies of the Federal Register containing
this document by calling 202-512-1800 or toll free at 1-866-512-1800
or by fax at 202-512-2250. Cost for each copy is $10.00.