SUMMARY OF THE PROPOSED RULE FOR THE PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

CRS Report for Congress
Individually Identifiable Health Information
March 22, 2000
Gina Marie Stevens
Legislative Attorney
American Law Division
Melinda DeAtley
Law Clerk
American Law Division


Congressional Research Service ˜ The Library of Congress

ABSTRACT
The purpose of this report is to provide a summary of the proposed rule issued November 3,
1999 to protect the privacy of individually identifiable health information. The Health
Insurance Portability and Accountability Act of 1996 required issuance of a final privacy
standard by February 21, 2000. This report will be updated as warranted.



Summary of the Proposed Rule for the Privacy of
Individually Identifiable Health Information
Summary
On November 3, 1999, the Secretary of Health and Human Services (HHS)
issued a proposed rule on patient privacy to implement the security and privacy
Administrative Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). The HIPAA directed the Secretary, in the
absence of legislation governing standards with respect to the privacy of individually
identifiable health information, to promulgate final regulations containing such
standards by February 21, 2000. Although Congress considered several proposals
to protect health information, Congress did not enact legislation governing standards
with respect to the privacy of individually identifiable health information by the
August 1999 deadline imposed by HIPAA. The comment period on the proposed rule
closed on February 17, 2000, with HHS receiving more than 40,000 comments on the
proposed rule. Final regulations are anticipated this Spring.



Contents
Background .................................................... 1
Applicability ................................................ 4
General Rules..............................................7
Uses and Disclosures with Individual Authorization......................8
Uses and Disclosures When the Individual Initiates the Disclosure (§
164.508(a)(1)) .......................................... 8
Uses and Disclosures When the Covered Entity Initiates the Disclosure (§
164.508(a)(2)) .......................................... 8
Uses and Disclosures Permitted Without Individual Authorization (§ 164.510).9
Uses and Disclosures for Public Health Activities (§ 164.510(b) .......10
Uses and Disclosures for Health Oversight Activities (§ 164.510(c))....12
Uses and Disclosures for Judicial and Administrative Proceedings (§
164.510(d)) ........................................... 12
Disclosure to Coroners and Medical Examiners (§ 164.510(e))........14
Disclosure for Law Enforcement (§ 164.510(f))....................14
Uses and Disclosures for Governmental
Health Data Systems (§ 164.510(g)).........................17
Disclosure of Directory Information (§ 164.510(h)).................17
Disclosure for Banking and Payment Processes (§ 164.510(i)).........18
Uses and Disclosure for Research (§ 164.510(j))...................19
Use and disclosure in emergency circumstances (§ 164.510(k))........20
Disclosure to Next-of-Kin (§ 164.510(l)).........................20
Uses and Disclosures for Specialized Classes (§ 164.510(m))..........21
Uses and Disclosures Otherwise Required by Law (§ 164.510(n))......21
Individual Rights...........................................22
Written Notice of Information Practices (§ 164.512)................22
Access for Inspection and Copying (§ 16.514).....................23
Accounting of Disclosures (§ 164.15)...........................23
Amendment and Correction (§ 164.516).........................23
Costs .................................................... 24
Preemption (§ 160.203)......................................24
Compliance and Enforcement..................................26
Effective Date .............................................26



Summary of the Proposed Rule for the Privacy of
Individually Identifiable Health Information
Background
On November 3, 1999, the Secretary of Health and Human Services (HHS)1
issued a proposed rule on patient privacy to implement the security and privacy
Administrative Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).2 The comment period on the proposed rule
closed on February 17, 2000.3 Final regulations are anticipated this spring. The
privacy rule is one of several proposed rules published by HHS to implement the
Administrative Simplification provisions of the HIPAA.4
Sections 261 through 264 of HIPAA are known as the Administrative5
Simplification provisions. Section 262 directs HHS to issue standards to facilitate
the electronic exchange of information with respect to financial and administrative
transactions carried out by health plans, health care clearinghouses, and health care
providers who transmit electronically in connection with such transactions.6 Section
262 also directs HHS to develop standards to protect the security, including the
confidentiality and integrity, of such information. Section 264 requires the Secretary
of HHS to develop and submit to the Congress recommendations for the privacy
rights that an individual who is a subject of individually identifiable health information
should have, the procedures that should be established for the exercise of such rights,
and the uses and disclosures of such information that should be authorized.7 Section
264 also directs the Secretary, in the absence of legislation governing standards with
respect to the privacy of individually identifiable health information, to promulgate
final regulations containing such standards by February 21, 2000.


1 Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59917 -

60065 (to be codified at 45 C.F.R. pt. 160 - 164 (Nov. 3, 1999)


<http://aspe.hhs.gov/admnsimp/nprm/pvclist.htm>;
See also Hearing on the Confidentiality of Patient Records, Testimony Before theth
Subcommittee on Health of the House Committee on Ways and Means, 106 Congress (2000)
<http://www.house.gov/ways_means/health/106cong/2-17-00/2-17hamb.htm >.
2 P.L. 104-191; 42 U.S.C. § 1320d et seq.
3 64 Fed. Reg. 69981 (December 15, 1999).
4 Administrative Simplification Rules, < http://aspe.hhs.gov/admnsimp/nprm/index.htm >.
5 See, CRS Report 98-964, The Health Insurance Portability and Accountability
Act(HIPAA): Summary of the Administrative Simplification Provisions. (Nov. 18, 1998).
6 42 U.S.C. §1320d-2.
7 42 U.S.C. §1320d-2 note.

Although Congress considered several proposals to protect health information,
Congress did not enact legislation governing standards with respect to the privacy of
individually identifiable health information.8 The Secretary made preliminary
recommendations to Congress on September 11, 1997 on ways to protect individually
identifiable information.9 In the absence of federal legislation, on November 3, 1999
the Secretary issued a proposed rule to implement the Administrative Simplification
privacy standard of HIPAA.10 In the rule, HHS proposes to establish a new 45 CFR
subchapter c, parts 160 through 164. Part 160 consists of general administrative
requirements (general provisions and preemption of state law), parts 161 - 163
[reserved] will consist of the various Administrative Simplification regulations relating
to transactions and identifiers, and part 164 consists of the regulations implementing
the security and privacy requirements of HIPAA.
In the proposed rule, HHS recognized that efforts to provide legal protection
against the inappropriate use of individually identifiable health information have been
made primarily by the States, and that state protections are by and large incomplete,
and at times, inconsistent. HHS concluded that a clear and consistent set of privacy
standards would improve the effectiveness and efficiency of the health care system.
The proposal of the Secretary of Health and Human Services is intended to strike a
balance between an individual’s right to privacy of their medical records and the
public policy needs to have access to these medical records to promote public safety.
Specifically the proposed regulations are intended to “make the use and exchange of
protected health information relatively easy for health care purposes, and more11
difficult for purposes other than health care.” Thus, the information is available to
those with legitimate needs after satisfying prerequisites; while not being available as
a general rule.
These proposed regulations apply to a specified set of covered entities: health
care providers, health plans, and to health care providers who transmit the information
in electronic form.12 The materials that “covered entities”13 transmit electronically


8 See generally, Harold Relyea, Stephen Redhead, Gina Stevens, CRS Issue Brief IB98002,
Medical Records Confidentiality. (Updated regularly).
9 Confidentiality of Individually-Identifiable Health Information: Recommendations of the
Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance
Portability and Accountability Act of 1996.
< Http://aspe.os.dhhs.gov/admnsimp/pvcrec.htm >.
10 See generally, Standards for Privacy of Individually Identifiable Health Information, 64
Fed. Reg. 59917 (1999).
11 See id. at 59924.
12 See id. See generally Hearing on the Confidentiality of Patient Records supra note 1
(Statement of N. Stephen Ober, M.D., President and Chief Executive Officer, Synergy Health
Care, explains that the transfer of health information via electronic means has grown rapidly.
“...Today 62% of all healthcare claims are precessed electronically, and for hospital and
pharmacy claims the percentage is over 80%. In 1998 some 2.7 billion out of a total 4.4
billion claims were processed electronically....”) See id. See generally Hearing on the
Confidentiality of Patient Records supra note 1 (Statement of N. Stephen Ober, M.D.,
(continued...)

would include: the information itself (not the particular records in which the
information is contained), and the information as it is transformed by the receiver be
it paper or electronic file.14
The release of individually identifiable health care information would be allowed
under certain approved circumstances. Treatment, payment, and health care
operations are permissible uses for which disclosure, without individual authorization,15
is approved. Additionally, public policy approves the disclosure of this information
for “national priority activities, such as reducing health care fraud, improving quality
of treatment through research, protecting the public health, and responding to
emergency situations.”16
Health care fraud is an example which clearly illustrates the need for access to
individually identifiable health care information.17 In order to uncover health care
fraud, an individual’s care would need to be assessed for unnecessary treatments or18
bills for services which were never rendered. Some studies estimate that Medicare
and Medicaid fraud cost the state and federal government tens of billions of dollars
per year.19 Thus, access to individual health care information becomes vital in
stopping and prosecuting health care fraud and abuse.20


12 (...continued)
President and Chief Executive Officer, Synergy Health Care, explains that the transfer of
health information via electronic means has grown rapidly. “...Today 62% of all healthcare
claims are precessed electronically, and for hospital and pharmacy claims the percentage is
over 80%. In 1998 some 2.7 billion out of a total 4.4 billion claims were processed
electronically....”)
13 See id. at 59924 passim.
14 Id.
15 See id. at 59925.
16 See id., See also Hearing on the Confidentiality of Patient Records supra note 1(In order
for there to be disclosures for purposes other than treatment, payment, and operations
“specific conditions would have to be met in order for the use or disclosure of protected health
information [would be] permitted.”)
17 Kathleen S. Swendiman, Jennifer O’Sullivan, CRS Report 97-895, Health Care Fraud: A
Brief Summary of Law and Federal Anti-Fraud Activities, p. 1 (Updated Sept. 24, 1997)
(“Health care fraud has been described as an intentional attempt to wrongfully collect money
relating to medical services....”)
18 Health Law, Cases, Materials, and Problems 574 (Barry R. Furrow et al. Eds., 1997). See
also supra note 10, at 1. (“Fraud and abuse commonly involve improper billing practices by
health care providers and consumers....”)
19 See id.
20 Katheryn Ehler-Lejcher, The Expansion of Corporate Compliance: Guidance for Health
Care Entities, 25 Wm. Mitchell L. Rev. 1339 (1999) (citing that the DOJ has recouped
millions of dollars via litigation over health care fraud and abuse. Similarly the Office of the
Inspector General for DHHS has expanded its efforts in curbing incidents of health care fraud
and abuse.) Id.

However, privacy in medical records poses a very legitimate ethical issue.
Because we are discussing individually identifiable health care information, it means
that this information is linked to the individual patient.21 Therefore, confidentiality
poses a challenge to ensure that proper policy and legal constraints are maintained to
guarantee that unauthorized access is not obtained.22 The best case scenario would
be to obtain permission directly from the individual whose records for health
information is sought.23 However, instances do exist in which individual approval is24
not obtainable. What follows is a discussion of the privacy rule, a description of the
policies and procedures that would govern the circumstances under which protected
health information may be used and released with and without patient authorization,
and the requirements with respect to a patient’s right of access to her or his protected
medical information.
Applicability
HIPAA limits the scope of the Secretary’s regulations to the following covered
entities:
!Health plans25


21 Patricia I. Carter, Health Information Privacy: Can Congress Protect Confidential
Medical Information In The “Information Age,” 25 Wm. Mitchell L. Rev. 223, 234 (1999).
22 Id. at 235. But see Hearing on the Confidentiality of Patient Records supra note 1 (William
G. Plested, III, M.D., testifying on behalf of the American Medical Association (AMA) that
the “proposed regulation...does not adequately protect patient confidentiality and privacy and
that substantially and unacceptably increases administrative burdens for physicians.”
23 Id. at 234.
24 See generally supra note 1 at 59925.
25 Health plan means an individual or group plan that provides, or pays the cost of, medical
care. Such term includes, when applied to government funded or assisted programs, the
components of the government agency administering the program. “Health plan” includes the
following, singly or in combination:
(1) A group health plan, defined as an employee welfare benefit plan (as currently defined
in section 3(1) of the Employee Retirement Income and Security Act of 1974, 29 U.S.C.
1002(1)), including insured and self-insured plans, to the extent that the plan provides medical
care (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-
91(a)(2)), including items and services paid for as medical care, to employees or their
dependents directly or through insurance or otherwise, that:
(i) Has 50 or more participants; or
(ii) Is administered by an entity other than the employer that established
and maintains the plan.
(2) A health insurance issuer, defined as an insurance company, insurance service, or
insurance organization that is licensed to engage in the business of insurance in a State and
is subject to State or other law that regulates insurance.
(3) A health maintenance organization, defined as a federally qualified health maintenance
organization, an organization recognized as a health maintenance organization under State
law, or a similar organization regulated for solvency under State law in the same manner and
to the same extent as such a health maintenance organization.
(continued...)

!Health care clearinghouses,26 and
!Health care providers27 who engage in electronic administrative28


simplification transactions.
25 (...continued)
(4) Part A or Part B of the Medicare program under title XVIII of the Act.
(5) The Medicaid program under title XIX of the Act.
(6) A Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C.

1395ss).


(7) A long-term care policy, including a nursing home fixed-indemnity policy.
(8) An employee welfare benefit plan or any other arrangement that is established or
maintained for the purpose of offering or providing health benefits to the employees of two
or more employers.
(9) The health care program for active military personnel under title 10 of the United States
Code.
(10) The veterans health care program under 38 U.S.C. chapter 17.
(11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as
defined in 10 U.S.C. 1072(4).
(12) The Indian Health Service program under the Indian Health Care Improvement Act (25
U.S.C. 1601, et seq.).
(13) The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89.
(14) An approved State child health plan for child health assistance that meets the
requirements of section 2103 of the Act.
(15) A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under

42 CFR part 422, subpart K.


(16) Any other individual or group health plan, or combination thereof, that provides or pays
for the cost of medical care.
26 “Health care clearinghouse means a public or private entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data elements.
The entity receives health care transactions from health care providers or other entities,
translates the data from a given format into one acceptable to the intended payer or payers,
and forwards the processed transaction to appropriate payers and clearinghouses. Billing
services, repricing companies, community health management information systems,
community health information systems, and ``value-added'' networks and switches are
considered to be health care clearinghouses for purposes of this part, if they perform the
functions of health care clearinghouses as described in the preceding sentences.” 64 Fed. Reg.
at 60049.
27 “Health care provider means a provider of services as defined in section 1861(u) of the Act,
a provider of medical or health services as defined in section 1861(s) of the Act, and any other
person or organization who furnishes, bills, or is paid for health care services or supplies in
the normal course of business.” 64 Fed. Reg. at 60050.
28 “Transaction means the exchange of information between two parties to carry out financial
or administrative activities related to health care. It includes the following: (1) Health claims
or equivalent encounter information;
(2) Health care payment and remittance advice;
(3) Coordination of benefits;
(4) Health claims status;
(5) Enrollment and disenrollment in a health plan;
(continued...)

In the regulations, HHS expressed concern that many of the holders of health
information fall outside the scope of the proposed rule because of its limited
regulatory authority, and therefore cannot be covered by the regulation pursuant to29
HIPAA. Examples of such health information holders include:
!Many of the persons who obtain identifiable health information from
the covered entities (e.g., contractors, researchers, public health
officials, workers compensation carriers, researchers, life insurance
issuers, employers and marketing firms).30
!Many of the persons that covered entities hire to perform
administrative, accounting, legal, and similar services for them, and
who obtain health information in order to perform their duties.
!Any provider who maintains a solely paper information system
In background comments to the proposed rule HHS noted that it was prohibited from
proposing optimal policies to protect individually identifiable information because it
lacked authority to apply the proposed rule directly to any entity that is not a covered
entity. In response to this gap, HHS requires covered entities to apply many of the
provisions of the proposed rule to entities with whom they contract for administrative
and other services.
The proposed rule applies only to a subset of individually identifiable health
information – that which is maintained or transmitted by covered entities and which
is or has been transmitted in electronic form. Once the information has been
maintained or transmitted electronically by a covered entity, the protections of the rule


28 (...continued)
(6) Eligibility for a health plan;
(7) Health plan premium payments;
(8) Referral certification and authorization;
(9) First report of injury;
(10) Health claims attachments; and
(11) Other transactions as the Secretary may prescribe by regulation.” 64 Fed. Reg. at 60050.
29 See also Hearing on the Confidentiality of Patient Records, Testimony Before the
Subcommittee on Health of the House Committee on Ways and Means, 106th Congress
(2000)< http://www.house.gov/ways_means/health/106cong/2-17-00/2-17hamb.htm >
(Statement by the Honorable Margaret A. Hamburg, M.D. that the scope of the proposed
regulations include “health care providers who transmit health information electronically,
health plans, and health care clearinghouses...Protection would start when information
becomes electronic, and would stay with the information as long as the information is in the
hands of a covered entity....The paper progeny of electronic information is covered....”) But
see id. (Testimony of Janlori Goldman, Director, Health Privacy Project, Institute for Health
Care Research and Policy, Georgetown University, strongly urges Congress to pass a more
comprehensive regulation which would apply to “all those who generate, maintain, or receive
protected health information.”) (emphasis in the original).
30 64 FR 59923.

follow the information in whatever form, including paper records, in which it exists
(while it is held by a covered entity).
HHS expressed concern about the potential confusion that could result from its
proposal with some health information protected while other similar information
(paper records not maintained or transmitted electronically) would not be. Based on
its belief that application of the proposed rule only to information in an electronic
form will not result in adequate protection for consumers, HHS requested comment
on whether it should extend the scope of the rule to all individually identifiable
information, including purely paper records, maintained by covered entities.
Cognizant of the issue that extending its regulatory coverage might be inconsistent
with the intent of the provisions in HIPAA, HHS nonetheless stated “... we believe
that we do have the authority to do so and that there are sound rationale for providing
a consistent level of protection to all individually identifiable health information held
by covered entities.”31
General Rules
!Covered entities are prohibited from using and disclosing protected
health information (PHI) except as provided (§ 164.506)
!Covered entities can use or disclose PHI with individual
authorization (§ 164.508)
!Covered entities can use or disclose PHI without individual
authorization (§ 164.510)
!for treatment, payment, and health care operations;
!for specified public and public policy-related purposes
(including public health, research, health oversight, law
enforcement, and use by coroners;
!when required by other law (such as mandatory reporting
under state law or pursuant to search warrant)Covered entities
are required to disclose PHI
!to permit individuals to inspect and copy PHI about themselves
(§ 164.514)
!for enforcement of this rule (§ 164.522)
With certain exceptions, permitted uses and disclosures of protected health
information would be restricted to the minimum amount of information necessary to
accomplish the purpose for which the information is used or disclosed, taking into
consideration practical and technical limitations and costs. (§ 164.506(a)).
The proposed rule would also require, with narrow exceptions, covered entities
to ensure that their business partners with whom they share protected information
understand through contractual requirements that they are subject to standards
regarding use and disclosure of PHI, and agree to abide by such rules. (§ 164.506(e)).


31 Id. at 59924.

The contract between the covered entity and its business partner must limit the
business partner’s uses and disclosures of PHI to those permitted by the contract, and
impose certain security, inspection and reporting requirements on the business
partner.
The privacy standards are to be implemented by all covered entities, from the
smallest provider to the largest, multi-state health plan. Implementation of the
standards is to be flexible and scalable, to account for the nature of each covered
entities business, as well as its size and resources.
Uses and Disclosures with Individual Authorization
Uses and Disclosures When the Individual Initiates the Disclosure (§

164.508(a)(1))


Under the proposed rule, authorizations must meet the following requirements:
!The authorization must include a description of the information to be
used or disclosed.The authorization does not have to state the
purpose for the disclosure.
!The authorization must identify sufficiently the covered entity or
entities that would be authorized to use or disclose protected health
information.The authorization must identify the person or persons
that would be authorized to use or receive the protected health
information.
!The authorization must state a specific expiration date.
!The authorization must include a signature or other authentication
(e.g., electronic signature) and the date of the signature.The
authorization must include a statement that the individual
understands that she or he make revoke the authorization.
!The authorization must clearly state that when an individual
authorizes disclosure of health information to other than a covered
entity, the information would no longer be protected once it leaves
the covered entity.
Uses and Disclosures When the Covered Entity Initiates the
Disclosure (§ 164.508(a)(2))
In addition to the requirements above (when the individual initiates the
disclosure), when a covered entity initiates the authorization by asking the individual
to authorize the disclosure, the following requirements must be met:
!The authorization must include a statement that identifies the
purposes for which the authorization is sought as well as the
proposed uses and disclosures of that information. Uses or
disclosures inconsistent with that statement would constitute a
violation of the regulation.The authorization must be narrowly
tailored to authorize use or disclosure of only the protected health



information necessary to the accomplish the purpose specified in the
authorization. Broad or blanket authorizations are prohibited.
!Covered entities are required to advise individuals that they may
inspect or copy the information to be used or disclosed, that they
may refuse to sign the authorization, and that treatment or payment
could not be conditioned on the patient’s authorization. The covered
entity must provide the individual with a copy of the signed
authorization form.If the covered entity will be receiving financial or
in-kind compensation in exchange for using or disclosing the health
information the authorization must include a statement that the
covered entity will gain financially from the disclosure.
The regulations include a model form that covered entities and third parties that
wish to have information disclosed to them could use to request authorization from
individuals for use or disclosure.32 The regulations also propose that all
authorizations be written in plain language, and that covered entities be prohibited,
except in the case of certain clinical trials, from conditioning treatment or payment for
health care on obtaining an authorization for purposes other than treatment, payment
or health care operations. A covered entity would not be permitted to obtain an
authorization for use or disclosure of information for treatment, payment or health
care operations unless required by applicable law. Where such authorization is
required by law, it could not be combined with an authorization in the same document
for any purpose other than payment, treatment or health care operations (e.g.,
research). Covered entities would be required to keep a record of all disclosures for
purposes other than payment, treatment or health care operations including those
made pursuant to authorization. When an individual requests such an accounting or
a copy of a signed authorization form, the covered entity is required to provide it. An
individual is permitted to revoke an authorization at any time except to the extent that
action has been taken in reliance on the authorization. If the authorization has any of
the following defects, the effect would be that there would be no authorization: the
date has expired, it lacks a required element, it has not been filled out completely, it
is known to have been revoked or the information on the form is known by the person
holding the records to be materially false.
Uses and Disclosures Permitted Without Individual
Authorization (§ 164.510)
Throughout the entirety of section E of the proposed federal regulation on
privacy of individually identifiable health information, the proposal emphasizes the
proper functioning of the health care system as a whole.33 The categories in this
section are intended to “permit and promote key national health care priorities and to


32 Id. At 60065.
33 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212
§164.510 (1999) (to be codified at 45 C.F.R. pt. 160 - 164) (proposed Nov. 3, 1999).

ensure that the health care system operates smoothly.”34 The purpose of this section
of the proposed regulation is to facilitate the use or disclosure without the individual’s
authorization, however the rule is intended to grant permission without creating a35
mandate.
At first the drafters considered allowing the use and disclosure of information
only where an affirmative legal requirement mandated its use or disclosure.36 In the
final draft, the proposal permits the covered entity to use or disclose the information
regardless of a legal mandate, because the activities described in the proposal benefits
society as a whole,37 expressing the sentiment that the good of the whole outweighs
that of the individual.38
Yet, in categories such as psychiatric and substance abuse records the release of
the information would have to conform to the more stringent guidelines of the
applicable law, even if the law refuses to allow its use.39 Moreover, if other law40
requires that the information be reported, the covered entity must comply.
Summarily, this proposed regulation would not give a covered entity authority to
“restrict or refuse to make a use or disclosure mandated by other law.”41
Uses and Disclosures for Public Health Activities (§ 164.510(b)
The first category of permitted uses or disclosures deals with Public Health42
Activities. Where authorized by law, the covered entity may disclose health
information to authorized public health officials without an individual’s
authorization.43 Also, where authorized by law, the covered entity may disclose
individually identifiable health information to non-governmental entities who are44
responsible for conducting public health activities. In conjunction with other
authorizing law, the proposal would allow disclosure to those “persons who are at
risk of contracting or spreading a disease.”45 Similarly, when a public hospital or local
health department (a government agency) is also the covered entity, an individual’s


34 Id.
35 See id.
36 See id.
37 See id.
38 See id.
39 See id.
40 See id.
41 See id.
42 See supra note 1, at §164.510(b).
43 See id.
44 See id.
45 Id.

health information may be disclosed to the extent allowable elsewhere in this section
of the proposed regulations.46
As elsewhere in the proposed regulations, the public health activities requirement
strives to balance the individual’s right to privacy with the overall well-being of the
community as a whole.47 The need for protected health information is created by the
priority to protect the public health.48 Thus, creating the need for the individually
identifiable health information to ensure that public health officials are able to fulfill
their obligations to “promoting health and quality of life by preventing and controlling
disease, injury, and disability.”49
These public health functions are to be given a broad reading to disclose a wide
range of public health activities.50 Examples of these public health activities include:
“reporting of vital events such as birth and death to vital statistics agencies....[and]
activities undertaken by the FDA to evaluate and monitor the safety of food, drugs,51
medical devices, and other products.” As exemplified by the FDA, the public health
authorities given access would not be limited to traditional entities such as the public
health department.52
Additionally, non-governmental agencies would also have authority to request
individually identifiable health information.53 One example may be a “device
manufacturer that collects information under explicit legal authority, or at the
direction of the Food and Drug Administration.”54 Yet, another example could be a55
teaching hospital or university that has contracted with public health authorities.
Finally, a third sub-category of individuals who may receive individually
identifiable health information are those who “could have been exposed to a
communicable disease or may otherwise be at risk of contracting or spreading a
disease or condition and is authorized by law to be notified....”56


46 See id.
47 See supra note 1, at §164.510(b)(a).
48 See id.
49 Id.
50 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212
§164.510, at §164.510 (b)(b) (1999).
51 Id.
52 Id. at §164.510 (b)(c)(i).
53 See id. at §164.510 (b)(c)(ii).
54 Id.
55 See id.
56 Id. at §164.510 (b)(c)(iii).

Uses and Disclosures for Health Oversight Activities (§ 164.510(c))
Next, the proposed regulations would permit agencies that are public oversight
agencies access to protected health information for use in activities which are
authorized by law.57 This rule defines a public oversight agency “as a public agency
authorized by law to conduct oversight activities relating to the health care system,
a government program for which health information is relevant to determining
beneficiary eligibility or a government regulatory program for which health
information is necessary for determining compliance with program standards.”58
Uses and Disclosures for Judicial and Administrative Proceedings
(§ 164.510(d))
The proposed regulation, § 164.510(d) advances that covered entities may
disclose protected health information pursuant to an order by a court or administrative
tribunal.59 An actual court order may not be needed if the protected health information
being requested relates to either the party in the proceeding for which it is requested,
or if the disclosure is otherwise available through the proposed regulation.60 Another
instance, which may preclude the necessity of a court order, is one in which a party
to the judicial or administrative proceeding is both a government entity and also the
covered entity with the information.61 Summarily, the proposal would “permit covered
entities to disclose protected health information in a judicial or administrative
proceeding if the request for such protected health information is made through or
pursuant to a court order or an order by an administrative law judge specifically
authorizing the disclosure of protected health information.”62
This section of the proposed regulation is intended to provide access to
individual health information in situations that involve judicial and administrative
proceedings.63 It anticipates that “litigants, government agencies, and others request
information for judicial or administrative proceedings, including judicial subpoenas,


57 See id. at §164.510 (c)(a).
58 Id. at §164.510 (c)(b). (Examples of such agencies include: first category-State Medicaid
fraud control units; second category-Department of Education; third category-Occupational
Health and Safety Administration.) Id.
59 Standards for Privacy of Individually Identifiable Health Information see supra note 1, at
59958. See also Charles Doyle, Congressional Research Service, Law Enforcement Access
to Third Party Records: Legal Attributes of Procedural Alternatives 7 (General Distribution
Memo) (1999). (“Administrative subpoenas may be either investigative (roughly analogous
to a grand jury subpoena) or adjudicatory (roughly analogous to a trial subpoena) depending
upon the nature of the administrative context in which they arise.”)
60 Standards for Privacy of Individually Identifiable Health Information, see id. But see
Hearing on the Confidentiality of Patient Records supra note 12. (The AMA recommends that
an order be required for access to records for all judicial and administrative hearings.)
61 Standards for Privacy of Individually Identifiable Health Information, see id.
62 Id. at 59959.
63 See id.

subpoenas duces tecum, notices of deposition, interrogatories, and administrative
proceedings….” 64
The covered entity would be required to confirm the validity of such order prior
to releasing the information.65 This confirmation would simply entail determining
“that the request is pursuant to a court order…or if the individual who is the subject
of the protected health information is a party to the proceeding and his or her medical66
condition or history is at issue.”
Yet, the covered entity would not be required in this instance to conduct an
independent investigation to determine the legality of the court order or request.67
Simply reviewing the request and finding it compliant with the terms of the proposed
regulation would be sufficient.68 For example, if the request is accompanied by a
court order, the covered entity may rely on the statement within the order, which
requests the individual’s health information.69 However, the covered entity may not70
release more information than is requested by the order.
When a request is not accompanied by a court order, the covered entity must
determine the following: “whether the request relates to the protected health
information of a litigant whose health is at issue, a written statement from the
requester certifying that the protected health information being requested is about a
litigant to the proceeding and that the health condition of such litigant is at issue at
such proceeding.”71 Also, under these proposed regulations, the party to the
proceeding who is seeking the release of the information would generally need to seek
judicial review prior to submitting the request.72 The exception to this requirement
would be one in which the information is relevant to the proceeding, which allows for
the party in opposition to object through his or her counsel.73
Finally, the proposed regulations also note that more stringent rules exist which
protect individual medical information, and acknowledge that these other rules would
remain in place.74 For example, when the topic of the medical records is disclosing


64 Id.
65 See id..
66 Id.
67 See id.
68 See id.
69 See id.
70 See id.
71 Id.
72 See id.
73 See id.
74 See id.

substance abuse or psychiatric records, the current federal and state laws would
continue to govern these cases.75
Disclosure to Coroners and Medical Examiners (§ 164.510(e))
Because coroners and medical examiners have a legal duty to “identify deceased
persons and determine cause of death,” they maintain a legitimate need for readily
available individually identifiable health information.76 This portion of the proposed
regulation is particularly important for expediency reasons, since there is a limited
amount of time in which an autopsy may be done after death.77 However, covered
entities would have an obligation to “verify the identity of the coroner or medical
examiner making the request...and the legal authority supporting the request.”78
Disclosure for Law Enforcement (§ 164.510(f))
Law enforcement officials have enhanced access to individual medical records
when conducting criminal investigations.79 The proposed regulations would not curb
law enforcement access to these medical records, only require them in some instances
to gain a subpoena or warrant in order to gain access.80
Section 164.510(f) permits covered entities to release individually identifiable
health information without the individual’s authorization when the law enforcement
official is acting in his or her official capacity with certain qualifications.81 The law82
enforcement official may be conducting lawful intelligence activities. Other incidents
may include, when the law enforcement official needs the protected health information
and it is related to the “victim of a crime, abuse or other harm, if the information is
needed to determine both whether a violation of law by a person other than the victim
has occurred and whether an immediate law enforcement activity might be


75 See id. (referencing the governing of substance abuse records under 42 U.S.C. 290dd-2
which implement 42 CFR part 2; and the discovery of psychiatric records under Jaffee v.
Redmond, 116 S.Ct. 1923 (1996)).
76 Id. at §164.510(e).
77 See id.
78 Id.
79 See supra note 11 at 282.
80 See supra note 1 at 59960 – 59961. But see Hearing on the Confidentiality of Patient
Records supra note 12. (The AMA believes that law enforcement should be allowed access
to an individual’s medical information only via a court order. In his testimony for the AMA,
Dr. Plested explained that “[p]hysicians and their patients have repeatedly experienced the
intrusion of law enforcement into patients’ personal medical information when no need for
identifiable information is established and no protections are provided. The unfortunate result
is less-rather than greater-confidence in the law enforcement and judicial systems of this
country.”)
81 Standards for Privacy of Individually Identifiable Health Information, see id. at 59960.
82 See id.

necessary.”83 A health care provider or health plan may act in good faith to release
information to a law enforcement agent when a crime is suspected of being
committed.84 “[I]f the plan or provider believed in good faith that the disclosed
protected health information would constitute evidence of criminal conduct that
constitutes health care fraud occurred on the premises of the covered entity, or was
witnessed by an employee of the covered entity.”85
Many of these requirements that precede the release of protected health
information are consistent with the rules governing criminal procedure. Most notably
they are consistent with the Fourth Amendment to the Constitution. The Fourth
Amendment to the Constitution provides, “the right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall
not be violated, and no Warrants shall issue, but upon probable cause, supported by
Oath or affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.”86 In order for a person to qualify for the Fourth
Amendment protections they must satisfy two requirements: the person must
demonstrate actual, subjective, expectation of privacy; and this expectation of privacy
must be one that society recognizes as being legitimate.87 Society generally
recognizes that a person has a right to privacy in regard to their medical records.88
Thus, necessitating a warrant in order to divulge the contents of these protected
records or probable cause to proceed without a warrant.
A law enforcement official must have probable cause89 prior to a search taking
place. In order to have probable cause for a search it must be more likely than not that
the specific items to be searched for are connected with criminal activity; and that
these items will be found in the place to be searched.90 Furthermore, when there are
exigent circumstances the warrant clause may not apply.91 The most common exigent
circumstances are as follows: preventing the imminent destruction of evidence,
preventing harm to persons, and being in “hot pursuit” of a suspect.92


83 Id.
84 See id.
85 Id.
86 U.S. Const. Amend. IV.
87 See, Katz v. United States, 389 U.S. 347 (1967).
88 See supra note 11 at 231.
89 See Doyle, supra note 15, at 1 n.2. (The meaning of probable cause for law enforcement
is that it is a “fair probability that contraband or evidence of a crime will be found in a
particular place,” Illinois v. Gates, 462 U.S. 213, 238 (1983)).
90 See American Criminal Procedure Cases and Commentary 67 - 94 (Stephen A. Saltzburg
& Daniel J. Capra eds., 5th ed. 1996).
91 See id. at 278 – 299.
92 See id.

This brief Fourth Amendment information will assist in further reviewing the
proposed regulations in regard to law enforcement. Many of the prerequisites for law
enforcement officials are reflective of the standards in criminal procedure.
Many times the law enforcement official will obtain necessary evidence by first
obtaining a “judicially executed warrant, an administrative subpoena, or a grand jury
subpoena.”93 Thus, this step of the legal process is consistent with the Fourth94
Amendment requirement. Yet, the proposed regulations also allow for other
circumstances, such as time constraints to necessitate the release of information
without first obtaining a warrant.95 The example which is given is when “health
information may be needed when a law enforcement official is attempting to96
apprehend an armed suspect who is rapidly fleeing.” This example also parallels
when the Warrant Clause of the Fourth Amendment would not apply in exigent
circumstances.97 The exigent circumstance here is “hot pursuit,” the officer is chasing
a fleeing suspect.
When the release of protected health information is in the public interest the
proposed regulations favor making them available to law enforcement officials.98
Specifically when the information is being sought as part of an investigation or as99
evidence at trial.
The proposed regulation suggests that the covered entity review an
administrative request by applying a three-part test.100 The distinction put forth is that
the administrative actions lack the protections that exist with an independent judicial
officer or the secrecy of a grand jury.101 Therefore, a “covered entity could disclose
protected health information pursuant to an administrative request, [after determining
that] (i) the records sought are relevant and material to a legitimate law enforcement
inquiry; (ii) the request is as specific and narrowly drawn as reasonably practicable;
and (iii) de-identified information could not reasonably be used to meet the purpose
of the request.”102


93 Standards for Privacy of Individually Identifiable Health Information, supra note 1, at

59960.


94 See supra note 39.
95 See supra note 46.
96 Id.
97 See supra note 43.
98 Standards for Privacy of Individually Identifiable Health Information, see supra note 1, at

59960.


99 See id.
100 Standards for Privacy of Individually Identifiable Health Information, see supra note 1, at

59961.


101 See id.
102 Id.

Once more, the Federal law regarding substance abuse would remain in effect.103
This regulation would not pre-empt the protections given psychiatric and substance
abuse records.104
The regulations seek to suspend enforcement of the regulation should the
covered entity “disclose protected health information to law enforcement officials in
a good faith belief that the disclosure was permitted under [the] title.”105 In keeping
with the overall intent of the proposed regulation, the balance between the greater
public good and the privacy of the individual is sought.106
Uses and Disclosures for Governmental Health Data Systems (§

164.510(g))


As part of the government’s efforts to “improve public policies and program
management, improve health care and reduce costs, and improve information available
for the consumer,” protected health care information may be made available to
government agencies who collect and analyze data.107 The government uses the108
health care data to analyze and improve all aspects of the health care system. Not
all states explicitly provide authority to collect this data, therefore, specific legal109
authority need not be a prerequisite for permitting access to this information. In
fact, many agencies rely on a broad authority for legal access to such information.110
Thus, this access would continue under the proposed regulations.
Disclosure of Directory Information (§ 164.510(h))
This section of the proposed regulations focuses narrowly on inpatient111
facilities. The proposed regulations apply to the patient directories which are kept
to provide general information on the patient such as “allowing confirmation of a
person’s presence in a facility, providing the room number for visits and deliveries,


103 Standards for Privacy of Individually Identifiable Health Information, see supra note 1, at

59963.


104 See id.
105 Standards for Privacy of Individually Identifiable Health Information, supra note 1, at

59964.


106 See id.
107 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg.

212 §164.510(g) (1999).


108 Id.
109 See id.
110 See id.
111 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg.

212 §164.510(h) (1999).



and sometime providing general information on the patient’s condition.”112 As these
services cannot be provided without revealing an individual’s health information, the
proposed regulations require that the covered entity first seek the approval of the113
patient. Should the patient be incapacitated then the proposed regulations indicate
that a legal guardian or representative for the patient be asked to make the decision.114
If a patient is incapacitated without a guardian, or admitted to the facility in an
unconscious state, the covered entity is authorized to make the determination.
However, should the patient’s condition improve or a legal representative present
themselves, they should be consulted as to their wishes at the earliest possible time.115
Disclosure for Banking and Payment Processes (§ 164.510(i))
Means of payment may often times identify the condition for which treatment
was received.116 However, the proposed regulations would not seek to impede this117
process due to its negative impact on the health care system. For the purposes of
collecting, billing, or authorizing payment of healthcare, minimal information would
be allowed to be released under the proposed regulations.118 It would not be
appropriate to include diagnostic or treatment information, however information that
would be permissible includes: “(1)name and address of account holder; (2) the name
and address of the payer or provider; (3) the amount of the charge for health service;
(4)the date on which the health services were rendered; (5) the expiration date for the
payment mechanism, if applicable...(6) the individual’s signature.”119
While the proposed regulations limit the information which may be provided to
a financial institution, it is recognized that financial institutions may offer services
beyond banking.120 Under these circumstances, the regulations leave room for a121
banking institution to provide tracking services, or business partnerships. In these
instances, the regulations would expand to approve further exchanges of health
information. 122


112 Id. at §164.510(h)(a).
113 See id. at §164.510(h)(b).
114 See id.
115 See id.. at §164.510(h )(b)(i), at §164.510(h)(b)(ii).
116 See id. at §164.510(i).
117 See id.
118 See id.
119 Id.
120 See generally supra note 39.
121 See id. at §164.510(i)(b).
122 See id.

Uses and Disclosure for Research (§ 164.510(j))
The proposed regulations in §164.510(j) concern the use and disclosure of
individually identifiable health information for research purposes.123 The health
information may be disclosed for research, regardless of the funding source as long
as written requirements are fulfilled. In order to allow use or disclosure the covered
entity must obtain in writing: waiver of authorization, date of approval, categories of
criteria, and required signature.124
More specifically, the proposed regulations intend for the covered entities to
enter into a written contract with the researcher, before they may access individually
identifiable health information without the specific authorization of the individual.125
The waiver of authorization must be approved by either an Institutional Review Board
(IRB), or a privacy board.126 The requirements of the IRB are codified at 45 CFR127

46.107. Otherwise, the review board must meet three suggested criteria:


(A) Has members with varying backgrounds and appropriate professional
competency as necessary to review the research protocol; (B) Includes at
least one member who is not affiliated with the entity conducting the
research or related to a person who is affiliated with such entity; and (C)
Does not have any member participating in a review of any project in which
the member has a conflict of interest.128
Should a review board not meet this criteria, the covered entity would then not be
permitted to disclose the information. However, if the review board meets the criteria,
then the date of approval must accompany the approval of the waiver.129
The review board must determine that the authorization satisfies the following:
!The use or disclosure of protected health information involves
no more than minimal risk to the subjects;
!The waiver will not adversely affect the rights and welfare of
the subjects;
!The research could not practicably be conducted without the
waiver;
!Whenever appropriate, the subjects will be provided with
additional pertinent information after participation;


123 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg.

212§164.510(j) (1999) (to be codified at 45 C.F.R. pt. 160-164) (proposed Nov. 3, 1999).


124 See id.
125 See id.
126 See id at §164.510(j)(1).
127 See id at §164.510(j)(1)(i).
128 Id. at §164.510(j)(1)(ii).
129 Id at §164.510(j)(2).

!The research could not practicably be conducted without
access to and use of the protected health information;
!The research is of sufficient importance so as to outweigh the
intrusion of the privacy of the individual whose information is
subject to the disclosure;
!There is an adequate plan to protect the identifiers from
improper use and disclosure;
!There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with conduct of the research,
unless there is a health or research justification for retaining the
identifiers. 130
Finally, the chair of the board, either the IRB or the privacy board, must sign the
waiver in order for the waiver to be official.131
Use and disclosure in emergency circumstances (§ 164.510(k))
This section is proposed to complement the sections for disclosure under law132
enforcement and public health. It would apply in circumstances which may not be
fully covered under these other sections. Circumstances which may require the use or
disclosure of this information are emergency first responders which includes law
enforcement personnel, and other emergency response personnel.133
The proposed regulation specifically requires that a covered entity comply with
“applicable law and standards of ethical conduct and based on a reasonable belief that
the use or disclosure is necessary to prevent or lessen a serious or imminent threat to134
health or safety of an individual or the public....”
A covered entity would be permitted to disclose the health information based
upon a request from an official with apparent authority.135 The disclosure by the
covered entity may be made upon a reasonable belief that the disclosure is one of
necessity. 136
Disclosure to Next-of-Kin (§ 164.510(l))
The proposed regulation would require health care providers to obtain a verbal
agreement from the individual, when that individual has the capacity to make his or
her own health decisions, before disclosing protected health information to next-of-


130 See id. at §614.510(j)(3)(i-iv).
131 See id. at §614.510(j)(4).
132 See id. at §614.510(k).
133 See id. at §614.510(k)(1).
134 Id.
135 See id. at §614.510(k)(2).
136 See id.

kin, other family members, or to others with whom the individual has a close personal
relationship. Where it is impractical or not feasible to obtain verbal agreement,
providers could disclose information that is directly relevant to the person’s
involvement in the individual’s care, consistent with good professional health practices
and ethics.137
Uses and Disclosures for Specialized Classes (§ 164.510(m))
The use and disclosure of individually identifiable health information by a
covered entity without the individual’s authorization may also be necessary and
permissible in unique situations such as federal programs. The disclosures under this
section range from military purposes to Department of State.138
When a health plan or health care provider is requesting information from an
appropriate military command authority, it may provide the information on military
personnel.139 The Federal Register requires that this proper military authority has
complied with the following:
(i) Appropriate military command authorities;
(ii) The circumstances for which use or disclosure without
individual authorization would be required; and
(iii) Activities for which such use or disclosure would occur in140
order to assure proper execution of the military mission.
The Department of Veterans Affairs may also utilize protected health
information.141 They may use it to “determine eligibility for entitlement to” benefits142
provided by the Veterans Administration. Other federal entities which may utilize
otherwise protected health information include: the Intelligence Community (see
National Security Act, 50 U.S.C. 401(a)), the Department of State (specifically
mentioned is the Foreign Service).143
Uses and Disclosures Otherwise Required by Law (§ 164.510(n))
The proposed regulation allows covered entities to use or disclose protected
health information if such use or disclosure is not addressed elsewhere in § 164.510
(uses and disclosures for which individual authorization is not required), is required


137 See id. §164.510(l).
138 See id at §614.510(m)(1-4).
139 See id at §164.510(m)(1).
140 See id.
141 See id. at §164.510(m)(2).
142 See id.
143 See id. at §164.510(m)(3-4).

by other law, and the disclosure meets all the relevant requirements of the law.144 An
example of another law requiring disclosure could be State workers’ compensation
laws. This section would permit health care providers to report abuse of any person
as required by State law (child abuse or neglect, elder abuse or neglect). HIPAA
specifically required that this regulation not interfere with State requirements for
reporting abuse.145 In addition, the regulation was designed not to interfere with State
requirements that health care providers report gunshot wounds and certain other
conditions related to violence.
Individual Rights
Four basic individual rights would be created: the right to a notice of information
practices; the right to obtain access to protected health information about them; the
right to obtain access to an accounting of how their protected health information has
been disclosed; and the right to request amendment and correction of protected health
information. The rights would apply with respect to protected health information held
by health care providers and health plans. Clearinghouses would not be subject to all
of these requirements because as business partners of covered plans and providers,
clearinghouses would not usually initiate or maintain direct relationships with
individuals.
Written Notice of Information Practices (§ 164.512)
HHS proposes that individuals have a right to an adequate notice of the
information practices of covered plans and providers. The notice would be intended
to inform individuals about what is done with their protected health information and
about any rights they may have with respect to that information. Federal agencies146
must adhere to a similar notice requirement pursuant to the Privacy Act of 1974.
Notices must include in plain language a statement which describes the uses and
disclosures, and the entity’s policies and procedures with respect to such uses and
disclosures. The notice must state that other uses and disclosures will be made only
with the individual's authorization and that such authorization may be revoked; that
an individual may request that certain uses and disclosures of his or her protected
health information be restricted, and that the covered entity is not required to agree
to such a request; that an individual has the right to request inspection and copying,
amendment or correction, and an accounting of the disclosures of her or his protected
health information by the covered entity; and that the covered entity is required by law
to protect the privacy of individually identifiable health information. Individuals may
complain to the covered entity or to the Secretary if they believe their privacy rights
have been violated.


144 See id. § 164.510(n).
145 See, Section 1178(b) of HIPAA.
146 5 U.S.C. 552a(e)(3).

Access for Inspection and Copying (§ 16.514)
The proposed rule provides that an individual has a right of access to, which
includes a right to inspect and obtain a copy of, his or her protected health
information from a covered entity that is a health plan or a health care provider,
including non-duplicative information in a business partner's record, for so long as the
information is maintained. The rule also established various grounds upon which a
covered entity may deny a request for access. The access procedures must provide
a means by which an individual can request inspection or a copy of protected health
information about her or him, and provide for action on such requests not later than
30 days following receipt of the request. Where the request is accepted, the covered
entity must notify the individual of the decision and of any steps necessary to fulfill the
request; provide the information requested in the form or format requested; facilitate
the process of inspection and copying; and assess a reasonable, cost-based fee for
copying, if desired. Where the request is denied in whole or in part, the covered
entity must provide the individual with a written statement in plain language of the
basis for the denial, and a description of how the individual may complain to the
covered entity or to the Secretary.
Accounting of Disclosures (§ 164.15)
The proposed rule provides that, subject to certain exceptions, an individual has
a right to receive an accounting of all disclosures of protected health information
made by a covered entity as long as such information is maintained by the entity. An
accounting is not required for disclosures for treatment, payment and health care
operations or for disclosures to health oversight or law enforcement agencies, if the
health oversight or law enforcement agency has provided a written request stating that
the exclusion is necessary because disclosure would be reasonably likely to impede the
agency's activities.
Amendment and Correction (§ 164.516)
The proposed rule provides that an individual has the right to request a health
plan or health care provider to amend or correct protected health information about
her or him for as long as the covered entity maintains the information. A covered
entity may deny a request for amendment or correction, if it determines that the
information that is the subject of the request was not created by the covered entity,
would not be available for inspection and copying or is accurate and complete. A
covered entity that is a health plan or health care provider must have procedures to
enable individuals to request amendment or correction, to determine whether the
requests should be granted or denied, and to disseminate amendments or corrections
to its business partners and others to whom erroneous information has been disclosed.
Where the request is denied in whole or in part, the covered entity must provide the
individual with a written statement in plain language of the basis for the denial, a
description of how the individual may file a written statement of disagreement with
the denial; and a description of how the individual may complain to the covered entity
or to the Secretary.



Costs
Section 1172(b) of the HIPAA provides that “(a)ny standard adopted under this
part (part C of title XI of the Act) shall be consistent with the objective of reducing
the administrative costs of providing and paying for health care.”147 In the Regulatory
Impact and Regulatory Flexibility Analysis accompanying the proposed rule, HHS
recognized that the proposed privacy standards would entail substantial initial and
ongoing administrative costs for entities subject to the rules. However, HHS’ analyses
also indicate that the rules should produce administrative and other cost savings that
should offset such costs on a national basis.
The total cost of development of privacy policies and procedures for providers
and plans is estimated to be $395 million over five years. With respect to revisions
to electronic data systems, the additional cost of the privacy element would be about
$90 million over five years. The development costs for notice of privacy practices is
estimated at $30 million over five years. The total five year cost of providing notices
to all provider patients and customers would be approximately $209 million. The
total cost to plans of providing notices would be $231 million over five years. The
cost of inspection and copying is estimated to be $405 million over five years. The
total cost of amending and correcting patient records will be $2 billion over five years.
Written patient authorizations are estimated to generate costs of approximately $271
million over five years. The estimated total cost of paperwork and training is
estimated at $110 million over five years. Overall, the five-year costs, beyond those
already included in the administrative simplification estimates, would be about $3.8
billion over five years, with an estimated range of $1.8 to $6.3 billion.148
Preemption (§ 160.203)
The general rule is that any standard, requirement, or implementation
specification adopted pursuant to subchapter C – Administrative Data Standards and
Related Requirements – that is contrary149 to a provision of State law preempts the150
provision of State law. The general rule applies, except where one or more of the
following conditions is met:
!A determination is made by the Secretary that the provision of State
law is necessary


147 42 U.S.C. § 1320d-1.
148 64 Fed. Reg. at 60014-60018.
149 “Contrary, when used to compare a provision of State law to a standard, requirement, or
implementation specification adopted under this subchapter, means:
(1) A party would find it impossible to comply with both the State and federal requirements;
or
(2) The provision of State law stands as an obstacle to the accomplishment and execution of
the full purposes and objectives of part C of title XI of the Act or section 264 of P.L. 104-

191, as applicable.” 64 Fed. Reg. At 60050.


150 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. At

60051.



– to prevent fraud and abuse, to ensure appropriate State regulation of
insurance and health plans, for State reporting on health care delivery or
cost, or for other purposes related to improving the Medicare program, the
Medicaid program, or the efficiency and effectiveness of the health care
system (§ 160.203(a)(1)); or
!A determination is made by the Secretary that the provision of State
law addresses controlled substances (§ 160.203(a)(2);
!The provision of State law
– relates to the privacy of health information and is more stringent than a
standard, requirement, or implementation requirement adopted under
subpart E (Privacy of Individually Identifiable Health Information) (§

160.203(b));


– or the State established procedures, are established under a State law
providing for the reporting of disease or injury, child abuse, birth, or death,
or for the conduct of public health surveillance, investigation, or
intervention (§ 160.203(c));
– requires a health plan to report, or to provide access to, information for
the purpose of management audits, financial audits, program monitoring
and evaluation, facility licensure or certification, or individual licensure
certification (§ 160.203(d)).
A State may request that the Secretary except a provision of State law from
preemption under section 160.203(a). The State’s request to the Secretary must
include the State law for which the exception is requested, an explanation of how
health care providers, health plans, and other entities would be affected by the
exception, of how long the exception would be in effect, and the reasons why the
State law should not be preempted. The Secretary’s determination is to be made on
the basis of the extent to which the State has demonstrated that one or more of the
preemption exceptions criteria has been met. If the federal requirement accomplishes
the purposes of the preemption exception criteria as well as or better than the State
law, the request will be denied. An exception granted is effective for three years, and
has effect only with respect to transactions taking place wholly within the State for
which the exception was requested. Determinations made by the Secretary will be
published annually in the Federal Register.
The Secretary may, either at the State’s request or at her own initiative, issue
advisory opinions as to whether a provision of State law constitutes an exception
under section 160.203(b) to the general rule of preemption. The State’s request to
the Secretary must include the State law for which the exception is requested, the
particular standard for which exception is requested, an explanation of how health
care providers, health plans, and other entities would be affected by the exception, of
how long the exception would be in effect, and the reasons why the State law should
not be preempted. The Secretary’s determination is to be made on the basis of the
extent to which the State has demonstrated that the criteria of section 160.203(b)
have been met. An exception granted has effect only with respect to transactions



taking place wholly within the State for which the exception was requested. Advisory
opinions made by the Secretary will be published annually in the Federal Register.
Compliance and Enforcement
The Secretary is authorized to provide technical assistance to covered entities.
An individual may file a compliant with the Secretary if the individual believes that the
covered entity is not complying with the rule. Where the complaint relates to the
alleged failure of a covered entity to amend or correct protected health information,
the Secretary will determine whether the required procedures have been complied
with but will not determine whether the information involved is accurate, complete,
or whether errors or omissions might have occurred. The Secretary may conduct
compliance reviews, and covered entities are required to cooperate with the Secretary
in such a review. Covered entities may not intimidate, threaten, coerce, discriminate
against, or take other retaliatory action against an individual for filing a complaint, for
testifying, assisting, participating in an investigation, compliance review, proceeding
or hearing under this Act, or opposing any act or practice made unlawful. If an
investigation or compliance review, proceeding or hearing indicates a failure to
comply, the Secretary will resolve the matter by informal means whenever possible.
If the matter cannot be resolved informally, the Secretary may issue written findings,
and may use the findings as a basis for initiating action under section 1176 of the Act
(civil monetary penalties)151 or initiating a criminal referral under section152

1177(penalties for disclosing individually identifiable health information).


Effective Date
A covered entity has 24 months following the effective date of the rule to be in
compliance, except that small health plans have 36 months to come into compliance.


151 Section 1176 of the Act establishes civil monetary penalties for violation of the provisions
in part C of title XI of the Act, subject to several limitations. Penalties may not be more than
$100 per person per violation and not more than $25,000 per person for violations of a single
standard for a calendar year.
152 Section 1177 establishes penalties for any person that knowingly uses a unique health
identifier, or obtains or discloses individually identifiable health information in violation of
the part. The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of
not more than 1 year; (2) if the offense is ``under false pretenses,'' a fine of not more than
$100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent
to sell, transfer, or use individually identifiable health information for commercial advantage,
personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of
not more than 10 years. These penalties do not affect any other penalties that may be imposed
by other federal programs.