The health insurance portability and accountability act ensures strong privacy protections

WASHINGTON – U.S. Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) introduced the Health Data Use and Privacy Commission Act to begin the process of modernizing health privacy laws and regulations. The presence of technology companies is increasing in health care, and health information is expanding beyond the reach of The Health Insurance Portability and Accountability Act (HIPAA). HIPAA is an over 25-year-old law that protects all interactions between patients and their doctors, but does not protect health data obtained from emerging technologies which creates a risk for consumers.

This legislation forms a health and privacy commission to research and give official recommendation to Congress on how to modernize the use of health data and privacy laws to ensure patient privacy and trust while balancing while balancing innovation and ensuring that health data can be used in a way that advances care.

 “Folks across Wisconsin and the country are rightfully concerned about the security of their personal information, especially individual health care data, and it is time to give Americans better protection over these records,” said Senator Baldwin. “I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

This legislation is supported by American College of Cardiology, Association for Behavioral Health and Wellness, Association of Clinical Research Organizations, athenahealth, Inc, Epic Systems Corporation, Executives for Health Innovation, Federation of American Hospitals, Heath Innovation Alliance, IBM, National Multiple Sclerosis Society, Teladoc Health, United Spinal Association, and Families USA.

“By proposing this legislation, Senators Baldwin and Cassidy are showing strong bipartisan leadership. Protecting the privacy and security of patient data is critical to providing quality care,” said Judy R. Faulkner, CEO of Epic Systems of Verona, WI. 

The Health Data Use and Privacy Commission Act would establish a commission to:

• Conduct a coordinated and comprehensive review and comparison of existing protections of personal health information at the state and federal level, as well as current practices for health data use by the health care, insurance, financial services, consumer electronics, advertising, and other industries;
• Provide recommendations to Congress on whether federal legislation is needed to modernize health data privacy, and if so, how to do it; and
• Be charged with submitting a report to Congress and the President six months after all members are appointed, and include 17 members to be appointed by the Comptroller General.

Specifically, the Commission is charged with drafting recommendations and conclusions on the following:

• The potential threats posed to individual health privacy and legitimate business and policy interests.
• The purposes for which sharing health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent.
• The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy.
• Recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy, including reforms or additions to existing law related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices.
• Analysis of whether additional regulations may impose costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, health care cost containment, improved patient outcomes, public health or critical infrastructure protection, and whether such costs or burdens are justified by the additional regulations or benefits to privacy, including whether such benefits may be achieved through less onerous means.
• The cost analysis of legislative or regulatory changes proposed in the report.
• Recommendations on non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies.
• Review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements.

A one-pager on the legislation is available here.

Full text of the legislation is available here.

###

(Note: The information provided below is a summary and intended for general informational purposes. Mental health providers and other covered entities should not rely on this summary as a source of legal information or advice and should consult with their own attorney or HIPAA Privacy Officer for specific guidance.)

Introduction:

This document provides guidance about key elements of the requirements of the Health Insurance Portability and Accountability Act (HIPAA), federal legislation passed in 1996 which requires providers of health care (including mental health care) to ensure the privacy of patient records and health information. HIPAA required the federal Department of Health and Human Services (HHS) to develop regulations to implement these privacy requirements, called the Privacy Rule, which became effective on April 14, 2003. State statutes which provide more stringent protections of health care privacy remain in effect even after HIPAA, and therefore this document includes a few relevant references to requirements in New York State's mental health confidentiality statute (section 33.13 of the Mental Hygiene Law).

General:

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The Rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care.

The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. Covered entities include almost all health and mental health care providers, whether they are outpatient, residential or inpatient providers, as well as other persons or organizations that bill or are paid for health care.

Basic Principles of the Privacy Rule:

1. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.
2. A major purpose of the Privacy Rule is to define and limit the circumstances under which an individual's PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except:
   1. as the Privacy Rule permits or requires; or
   2. as authorized by the person (or personal representative) who is the subject of the health information. A HIPAA-compliant Authorization must contain specific information required by the Privacy Rules.
3. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for denial), and must provide an accounting of the disclosures of their PHI to others, upon their request.
4. The Privacy Rule supersedes State law, but State laws which provide greater privacy protections or which give individuals greater access to their own PHI remain in effect.

(Note: One must consult not only HIPAA but also other relevant federal privacy laws (such as regulations pertaining to Medicaid and federally funded substance abuse treatment programs), as well as State privacy laws (including the Mental Hygiene Law- section 33.13, the Public Health Law, the Education Law licensing provisions, and the Civil Practice Laws and Rules), to determine whether a disclosure of medical information is permissible in a given circumstance.)

Permitted Uses or Disclosures of PHI Without Authorization:

Extensive provisions of the Privacy Rule describe circumstances under which covered entities are permitted to use or disclose PHI, without the authorization of the individual who is the subject of the protected information. These purposes include, but are not limited to, the following:

1. A covered entity may disclose PHI to the individual who is the subject of the information.
2. A covered entity may use and disclose protected health information for its own “treatment, payment, and health care operations.”
   1. Treatment is the provision, coordination, or management of health care and related services for an individual, including consultation between providers and referral of an individual to another provider for health care.
   2. Payment includes activities of a health care provider to obtain payment or to receive reimbursement for the provision of health care to an individual.
   3. Health care operations include functions such as: (a) quality assessment and improvement; (b) competency assessment,, including performance evaluation, credentialing, and accreditation; (c) medical reviews, audits, or legal services; (d) specified insurance functions; and (e) business planning, management, and general administration.
3. Permission may be obtained from the individual who is the subject of the information or by circumstances that clearly indicate an individual with capacity has the opportunity to object to the disclosure but does not express an objection. Providers may also rely on an individual's informal permission to disclose health information to an individual's family, relatives, close personal friends, or to other persons identified by the individual, limited to information directly related to such person's involvement.
4. When an individual is incapacitated or in an emergency, providers sometimes may use or disclose PHI, without authorization, when it is in the best interests of the individual, as determined by health care provider in the exercise of clinical judgment. The PHI that may be disclosed under this provision includes the patient's name, location in a health care provider's facility, and limited and general information regarding the person's condition.
5. Providers may use and disclose PHI without a person's authorization when the use or disclosure of PHI is required by law, including State statute or court order.
6. Providers generally may disclose PHI to State and Federal public health authorities to prevent or control disease, injury, or disability, and to government authorities authorized to receive reports of child abuse and neglect.
7. Providers may disclose PHI to appropriate government authorities in limited circumstances regarding victims of abuse, neglect, or domestic violence.
8. Providers may disclose PHI to health oversight agencies, (e.g., the government agency which licenses the provider), for legally authorized health oversight activities, such as audits and investigations.
9. PHI may be disclosed in a judicial or administrative proceeding if the request is pursuant to a court order, subpoena, or other lawful process (note that "more stringent" NYS Mental Hygiene law requires a court order for disclosure of mental health information in these circumstances).
10. Providers may generally disclose PHI to law enforcement when:
    1. Required by law, or pursuant to a court order, subpoena, or an “administrative request,” such as a subpoena or summons (Note: the "more stringent" NYS Mental Hygiene Law section 33.13 requires a court order for disclosure of mental health information in these circumstances). The information sought must be relevant and limited to the inquiry.
    2. To identify or locate a suspect, fugitive, material witness or missing person (Note: under Mental Hygiene Law section 33.13 this information is limited to “identifying data concerning hospitalization”).
    3. In response to a law enforcement request for information about a victim of a crime (Note: under Mental Hygiene Law section 33.13 this information is limited to “identifying data concerning hospitalization”).
    4. To alert law enforcement about criminal conduct on the premises of a HIPAA covered entity.
11. Providers may disclose PHI that they believe necessary to prevent or lessen a
    1. serious and imminent physical threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
12. An authorization is not required to use or disclose PHI to certain government
    1. programs providing public benefits or for enrollment in government benefit
    2. programs if the sharing of information is required or expressly authorized by statute or regulation, or other limited circumstances

“Minimum Necessary” Rule:

A covered entity must make reasonable efforts to use, request, or disclose to others only the minimum amount of PHI which is needed to accomplish the intended purpose of the use, request or disclosure. When the minimum necessary standard applies, a covered entity may not use, disclose, or request a person's entire medical record, unless it can specifically justify that the entire record is reasonably needed.

The minimum necessary standard does not apply under the following circumstances:

1. disclosure to a health care provider for treatment;
2. disclosure to an individual (or personal representative) who is the subject of the information;
3. use or disclosure made pursuant to an Authorization by the person (or personal representative);
4. use or disclosure that is required by law; or
5. disclosure to HHS for investigation, compliance review or enforcement.

Penalties for Violation of HIPAA:

1. Civil monetary penalties: HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement- not to exceed $25,000 per calendar year for multiple violations of the same Privacy Rule requirement. Generally, HHS may not impose civil monetary penalties when a violation is due to reasonable cause, there was no “willful neglect,” and the covered entity corrected the violation within 30 days of when it knew (or should have known) of the violation.
2. Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA could face a fine of $50,000 and imprisonment for up to one year. If the wrongful conduct involves “false pretenses” the criminal penalties could increase up to a fine of $100,000 and up to five years imprisonment. A fine of up to $250,000 and up to ten years imprisonment could be imposed if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information “for commercial advantage, personal gain, or malicious harm.”

To view the entire Privacy Rule, or for other information about how it applies, visit the website of the HHS, Office of Civil Rights at: http://www.hhs.gov/ocr/hipaa/