under a Congressional mandate stipulated in the bipartisan Health Insurance
Portability and Accountability Act of 1996
(HIPAA).The final rule became effective
on April 14, 2001 and most covered entities under the regulation must comply
by April 14, 2003.On
July 6, 2001, DHHS issued its first set of guidance on the final rule.
final rule applies the standards included in HIPAA to create specific federal
penalties for the improper use or disclosure of protected health information.Civil
penalties are up to $25,000 per person per year.Criminal
penalties are up to $250,000 and up to 10 years in prison.The
Secretary has delegated authority to enforce the privacy regulations to
the Office for Civil Rights at DHHS.
P.L. 104-191 (August 21, 1996)
For small health plans, the compliance date is April 14, 2004.
§160.204; the Secretary has delegated the authority of exception determinations
to the Office for Civil Rights
§164.502(d)(2); Covered entities may use and disclose PHI for purposes
of creating de-identified information, §164.502(d)(1); Requirements
for de-identification and re-identification can be found at §164.514(b)
and §164.514(c) respectively.
By holding covered entities responsible for the violations of their business
associates, these standards broaden protection of PHI beyond covered entities.
§164.502(e)(1)(i); Exceptions to this standard can be found in §164.502(e)(1)(ii)
§164.502(e)(2); Documentation can be by written contract or other
written agreement or arrangement with business associate. Specific requirements
can be found at §164.504(e)
§160.502(b)(1); Implementation specifications for the "minimum necessary"
standard can be found at §164.514(d)
§160.502(b)(2)(i); This provision makes sense. Access to health information
by providers should improve the quality of care. Other exceptions to the
"minimum necessary" standard are listed under §160.502(b)(2).
See unemancipated minors at §164.502(g)(3); and abuse, neglect, endangerment
situations at §164.502(g)(5)
§164.506(a)(2)(i); Health care providers who are in an indirect relationship
with the individual - not having direct or face-to-face contact with the
patient or acting under the orders of another provider (pharmacy, clinical
lab, pathology) - are not required to get consent, but are not prohibited
from doing so under §164.506(a)(4).
Use and disclosure for marketing and fundraising activities generally require
authorization. Authorization is not required in limited circumstances for
marketing, §164.514(e) and for fundraising , §164.514(f).
§164.510; Oral communication between the covered entity and the individual
§164.520(a)(1); exceptions for group health plans, §164.520(a)(2)
and for inmates, §164.520(a)(3)
§164.522(b); The covered entity must permit individuals to request
and accommodate reasonable requests by individuals to receive communications
of PHI by alternative means or at alternative locations.
§164.526(a)(2); Denial may be on the grounds that the PHI was not
created by the covered entity, §164.526(a)(2)(i); PHI is not part
of the designated record set, §164.526(a)(2)(ii); PHI not accessible
for inspection by individual, §164.526(a)(2)(iii); and PHI is accurate
and complete, §164.526(a)(2)(iv).
Disclosure to individuals of PHI,§164.528(a)(1)(ii); for the facility
directory or persons involved in individual's care, ,§164.528(a)(1)(iii);
for nation security, §164.528(a)(1)(iv); to correctional institution,
§164.528(a)(1)(v); and that occurred prior to the compliance date
for the covered entity, §164.528(a)(1)(vi).
On August 12, 1998, DHHS published its Security and Electronic Signature
Standards Notice of Proposed Rule Making. As of this writing, the final
security rule has not been published.