The final rule effectively sets a minimum floor for privacy protection.The final rule preempts state privacy laws that are contrary to it, i.e., a covered entity would find it impossible to comply with both the state and federal requirements.[5]A state enacting contrary privacy protections must request an exception form the Office for Civil Rights (OCR) at DHHS to avoid preemption.[6]States are permitted to enact privacy protections that are consistent with, but more stringent than, the final rule.[7]The critical issue in preemption is the interpretation of "contrary" and more stringent," both terms defined in the final rule.[8]

To improve the privacy and security of health information, the final rule reflects five basic principles: boundaries, consumer control, public responsibility, security, and accountability.

The final rule protects protected health information (PHI) and applies to covered entities. PHI means individually identifiable health information.[9]Individually identifiable health information does not include health information that has been properly de-identified.[10] Covered entities include the following: health plans, health care clearinghouses, and health care providers who transmit health information in electronic form with a transaction.[11]Although business associates are not covered entities,[12] covered entities may only disclose PHI to business associates with satisfactory assurances by the business associates to safeguard the information[13] and documentation of those assurances.[14]Also, the final rule addresses covered entities with special organizational structures including hybrid entities,[15] affiliated entities,[16] group health plans,[17] and covered entities with multiple covered functions.[18]

Covered entities must make reasonable efforts to limit the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.[19]The "minimum necessary" standard does not apply to disclosures to or requests by health care providers for the purpose of treatment, however.[20]With a few exceptions,[21] covered entities must treat personal representatives as the individual.[22] Covered entities must also protect the PHI of deceased individuals.[23]

A covered health care provider must obtain an individual's consent prior to using or disclosing his or her PHI to carry out treatment, payment, or health care operations.[24]Only under very limited circumstances may a covered health care provider use or disclose PHI without prior consent,[25] but even then, the provider must document its attempt to obtain consent and give reason why consent was not obtained.[26]Consent is not required prior to treatment when an indirect treatment relationship exists with the individual[27] or where the individual is an inmate.[28]Consent to use or disclose PHI is limited to the covered entity that obtains it[29] and is subject to revocation.[30]A valid consent requires several elements including plain language.[31]Finally, a covered health care provider or health plan may condition treatment or enrollment on consent by the individual.[32]

Generally for those situations outside of treatment, payment, or health care operations,[33] authorization is required before a covered entity is permitted to use or disclose PHI.[34] The content of the authorization must contain several core elements including plain language[35] and an expiration date or event.[36]Like consent, authorization is subject to revocation.[37]Unlike consent, one covered entity may request authorization from another covered entity to access PHI for purposes of treatment, payment, or health care operation if certain requirements are met.[38]Also, a covered entity may not condition treatment or enrollment on the provision of authorization except for a few instances.[39]Finally additional rules apply to authorizations for research-based treatment.[40]

It is possible that conflicting consents and authorizations exist for use and disclosure of PHI to carry out treatment, payment, or health care operations.In this case, the more restrictive consent, authorization, or written legal permission controls;[41] or the individual may resolve the conflict by either giving new consent or communicating the individual's preference.[42]

In certain situations such as maintaining a directory of individuals in the facility[43] or notifying family members of the individual's care,[44] PHI may be used or disclosed without consent or authorization by the individual.The individual must be informed in advance and have the opportunity to agree, prohibit, or restrict the use or disclosure.[45]

An individual has the right to adequate notice from the covered entity as to the use and disclosure of his or her PHI as well as the individual's rights and the entity's duties with respect to that information.[46]Important elements required in the notice are permissible uses and disclosures,[47] a statement of the individual rights,[48] a statement of the covered entity's duties,[49] and a procedure for filing a complaint.[50]Specific requirements apply to health plans[51] and health care providers,[52] and for electronic[53] and joint notices.[54]

An individual has the right to request restrictions on the use and disclosure of his or her PHI.[55]The individual also has a right to request that communications concerning PHI between the health care provider and the individual remain confidential.[56]

An individual has the right to access his or her PHI in a designated record set for purposes of inspection, copying, or both.[57]Exception to the right of access include psychotherapy notes,[58] information compiled in anticipation of a legal proceeding,[59] and PHI subject to the Clinical Laboratory Improvements Amendments.[60]Grounds for which a covered entity may deny individual access are either reviewable[61] or unreviewable.[62]If the covered entity allows the individual access, the provision of access must be timely[63] and fees associated with copying the information must be reasonable and cost-based.[64]If access is denied, the covered entity must provide the individual a timely written basis for denial [65] and the opportunity to have the denial reviewed by an independent licensed health care professional.[66]

An individual has the right to amend his or her PHI in a designated record set.[67]The covered entity may deny an individual's request on several grounds.[68]Requests for amendments must be acted upon in a timely manner.[69]If accepted, the covered entity must timely inform the individual[70] and others.[71]If denied in whole or in part, the covered entity must provide the individual with a timely written denial using plain language,[72] provide the individual an opportunity to submit a written statement disagreeing with the denial,[73] and keep the records of all documents.[74]

An individual has a right to an accounting for disclosures of his or her PHI made by the covered entity in the past 6 years prior to the date of the request.[75]However, there is no right to receive an accounting of disclosures of PHI used to carry out treatment, payment and health care operations.[76]Other exceptions exist[77] and limitations apply.[78]Specific requirements for the content,[79] provision,[80] and documentation[81] of the accounting must be followed.

Covered entities may use or disclose PHI without the consent, authorization, or the opportunity to agree or object by the individual in limited situations.[82]Use and disclosure is permitted in situations concerning public health activities;[83] victims of abuse, neglect or domestic violence;[84] health oversight activities;[85] judicial and administrative proceedings; [86] law enforcement;[87] decedents;[88] cadaveric organ, eye or tissue donation;[89] research;[90] serious threats to health or safety;[91] specialized government functions;[92] workers' compensation,[93] and when required by law.[94]

The final rule places the responsibility of safeguarding PHI on covered entities.[95] The covered entity must train members of its workforce on privacy protection procedure.[96]A privacy officer must be designated to ensure the procedures are followed,[97] to impose sanctions for violations,[98] and to mitigate the harmful effects of violations.[99] A grievance process must be in place to address complaints;[100] further, the covered entity may not take retaliatory action against patients and other individuals in the grievance process.[101]A covered entity must have policies and procedures that work to protect privacy[102] and they must be in writing.[103]Also, if use or disclosure is done for underwriting and related purposes, proper verification requirements must be followed.[104]More guidance will be available on the issue of security when the final security rule is published.[105]

The final rule applies the standards included in HIPAA to create specific federal penalties for the improper use or disclosure of protected health information.Civil penalties are up to $25,000 per person per year.Criminal penalties are up to $250,000 and up to 10 years in prison.The Secretary has delegated authority to enforce the privacy regulations to the Office for Civil Rights at DHHS.

[1] Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462-29 (December 28, 2000); for regulation text, see http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm.

[2] P.L. 104-191 (August 21, 1996)

[3] For small health plans, the compliance date is April 14, 2004.

[4] See http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm.

[5] §160.203

[6] §160.204; the Secretary has delegated the authority of exception determinations to the Office for Civil Rights

[7] §160.203(b)

[8] §160.202

[9] §164.501

[10] §164.502(d)(2); Covered entities may use and disclose PHI for purposes of creating de-identified information, §164.502(d)(1); Requirements for de-identification and re-identification can be found at §164.514(b) and §164.514(c) respectively.

[11] §160.102

[12] By holding covered entities responsible for the violations of their business associates, these standards broaden protection of PHI beyond covered entities.

[13] §164.502(e)(1)(i); Exceptions to this standard can be found in §164.502(e)(1)(ii)

[14] §164.502(e)(2); Documentation can be by written contract or other written agreement or arrangement with business associate. Specific requirements can be found at §164.504(e)

[15] §164.504(c)

[16] §164.504(d)

[17] §164.504(f)

[18] §164.504(g)

[19] §160.502(b)(1); Implementation specifications for the "minimum necessary" standard can be found at §164.514(d)

[20] §160.502(b)(2)(i); This provision makes sense. Access to health information by providers should improve the quality of care. Other exceptions to the "minimum necessary" standard are listed under §160.502(b)(2).

[21] See unemancipated minors at §164.502(g)(3); and abuse, neglect, endangerment situations at §164.502(g)(5)

[22] §164.502(g)

[23] §164.502(f)

[24] §164.506(a)(1)

[25] §164.506(a)(3)(i)

[26] §164.506(a)(3)(ii)

[27] §164.506(a)(2)(i); Health care providers who are in an indirect relationship with the individual - not having direct or face-to-face contact with the patient or acting under the orders of another provider (pharmacy, clinical lab, pathology) - are not required to get consent, but are not prohibited from doing so under §164.506(a)(4).

[28] §164.506(a)(2)(ii)

[29] §164.506(a)(5)

[30] §164.506(b)(5)

[31] §164.506(c)

[32] §164.506(b)

[33] Use and disclosure for marketing and fundraising activities generally require authorization. Authorization is not required in limited circumstances for marketing, §164.514(e) and for fundraising , §164.514(f).

[34] §164.508(1)

[35] §164.508(c)(2)

[36] §164.508(c)(1)(iv)

[37] §164.508(b)(5)

[38] §164.508(e)

[39] §164.508(b)(4)

[40] §164.508(f)

[41] §164.506(e)(1)

[42] §164.506(e)(2)

[43] §164.510(a)

[44] §164.510(b)

[45] §164.510; Oral communication between the covered entity and the individual is permissible.

[46] §164.520(a)(1); exceptions for group health plans, §164.520(a)(2) and for inmates, §164.520(a)(3)

[47] §164.520(b)(1)(ii)

[48] §164.520(b)(1)(iv)

[49] §164.520(b)(1)(v)

[50] §164.520(b)(1)(vi)

[51] §164.520(c)(1)

[52] §164.520(c)(2)

[53] §164.520(c)(3)

[54] §164.520(d)

[55] §164.522(a)

[56] §164.522(b); The covered entity must permit individuals to request and accommodate reasonable requests by individuals to receive communications of PHI by alternative means or at alternative locations.

[57] §164.524(a)(1)

[58] §164.524(a)(1)(i)

[59] §164.524(a)(1)(ii)

[60] §164.524(a)(1)(iii)

[61] §164.524(a)(3)

[62] §164.524(a)(2)

[63] §164.524(b)(2)

[64] §164.524(c)(4)

[65] §164.524(d)(2)

[66] §164.524(d)(4)

[67] §164.526(a)(1)

[68] §164.526(a)(2); Denial may be on the grounds that the PHI was not created by the covered entity, §164.526(a)(2)(i); PHI is not part of the designated record set, §164.526(a)(2)(ii); PHI not accessible for inspection by individual, §164.526(a)(2)(iii); and PHI is accurate and complete, §164.526(a)(2)(iv).

[69] §164.526(b)(2)

[70] §164.526(c)(2)

[71] §164.526(c)(3)

[72] §164.526(d)(1)

[73] §164.526(2)

[74] §164.526(4)

[75] §164.528(a)(1)

[76] §164.528(a)(1)(i)

[77] Disclosure to individuals of PHI,§164.528(a)(1)(ii); for the facility directory or persons involved in individual's care, ,§164.528(a)(1)(iii); for nation security, §164.528(a)(1)(iv); to correctional institution, §164.528(a)(1)(v); and that occurred prior to the compliance date for the covered entity, §164.528(a)(1)(vi).

[78] §164.528(a)(2)

[79] §164.528(b)

[80] §164.528(c)

[81] §164.528(d)

[82] §164.512(d)

[83] §164.512(b)

[84] §164.512(c)

[85] §164.512(d)

[86] §164.512(e)

[87] §164.512(f)

[88] §164.512(g)

[89] §164.512(h)

[90] §164.512(i)

[91] §164.512(j)

[92] §164.512(k)

[93] §164.512(l)

[94] §164.512(a)

[95] §164.530(c)

[96] §164.530(b)

[97] §164.530(a)

[98] §164.530(e)

[99] §164.530(f)

[100] §164.530(d)

[101] §164.530(g)

[102] §164.530(i)

[103] §164.530(j)

[104] §164.514(g)

[105] On August 12, 1998, DHHS published its Security and Electronic Signature Standards Notice of Proposed Rule Making. As of this writing, the final security rule has not been published.