WASHINGTON – U.S. Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) introduced the Health Data Use and Privacy Commission Act to begin the process of modernizing health privacy laws and regulations. The presence of technology companies is increasing in health care, and health information is expanding beyond the reach of The Health Insurance Portability and Accountability Act (HIPAA). HIPAA is an over 25-year-old law that protects all interactions between patients and their doctors, but does not protect health data obtained from emerging technologies which creates a risk for consumers.
This legislation forms a health and privacy commission to research and give official recommendation to Congress on how to modernize the use of health data and privacy laws to ensure patient privacy and trust while balancing while balancing innovation and ensuring that health data can be used in a way that advances care.
“Folks across Wisconsin and the country are rightfully concerned about the security of their personal information, especially individual health care data, and it is time to give Americans better protection over these records,” said Senator Baldwin. “I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”
“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”
This legislation is supported by American College of Cardiology, Association for Behavioral Health and Wellness, Association of Clinical Research Organizations, athenahealth, Inc, Epic Systems Corporation, Executives for Health Innovation, Federation of American Hospitals, Heath Innovation Alliance, IBM, National Multiple Sclerosis Society, Teladoc Health, United Spinal Association, and Families USA.
“By proposing this legislation, Senators Baldwin and Cassidy are showing strong bipartisan leadership. Protecting the privacy and security of patient data is critical to providing quality care,” said Judy R. Faulkner, CEO of Epic Systems of Verona, WI.
The Health Data Use and Privacy Commission Act would establish a commission to:
Specifically, the Commission is charged with drafting recommendations and conclusions on the following:
A one-pager on the legislation is available here.
Full text of the legislation is available here.
(Note: The information provided below is a summary and intended for general informational purposes. Mental health providers and other covered entities should not rely on this summary as a source of legal information or advice and should consult with their own attorney or HIPAA Privacy Officer for specific guidance.)
This document provides guidance about key elements of the requirements of the Health Insurance Portability and Accountability Act (HIPAA), federal legislation passed in 1996 which requires providers of health care (including mental health care) to ensure the privacy of patient records and health information. HIPAA required the federal Department of Health and Human Services (HHS) to develop regulations to implement these privacy requirements, called the Privacy Rule, which became effective on April 14, 2003. State statutes which provide more stringent protections of health care privacy remain in effect even after HIPAA, and therefore this document includes a few relevant references to requirements in New York State's mental health confidentiality statute (section 33.13 of the Mental Hygiene Law).
The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The Rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care.
The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. Covered entities include almost all health and mental health care providers, whether they are outpatient, residential or inpatient providers, as well as other persons or organizations that bill or are paid for health care.
Basic Principles of the Privacy Rule:
(Note: One must consult not only HIPAA but also other relevant federal privacy laws (such as regulations pertaining to Medicaid and federally funded substance abuse treatment programs), as well as State privacy laws (including the Mental Hygiene Law- section 33.13, the Public Health Law, the Education Law licensing provisions, and the Civil Practice Laws and Rules), to determine whether a disclosure of medical information is permissible in a given circumstance.)
Permitted Uses or Disclosures of PHI Without Authorization:
Extensive provisions of the Privacy Rule describe circumstances under which covered entities are permitted to use or disclose PHI, without the authorization of the individual who is the subject of the protected information. These purposes include, but are not limited to, the following:
“Minimum Necessary” Rule:
A covered entity must make reasonable efforts to use, request, or disclose to others only the minimum amount of PHI which is needed to accomplish the intended purpose of the use, request or disclosure. When the minimum necessary standard applies, a covered entity may not use, disclose, or request a person's entire medical record, unless it can specifically justify that the entire record is reasonably needed.
The minimum necessary standard does not apply under the following circumstances:
Penalties for Violation of HIPAA:
To view the entire Privacy Rule, or for other information about how it applies, visit the website of the HHS, Office of Civil Rights at: http://www.hhs.gov/ocr/hipaa/
Read more about HIPAA.