Proposed Privacy Standards: Background and Overview

By Mary R. Anderlik
Health Law & Policy Institute

In the November 3, 1999 Federal Register, the Office of the Secretary of Health and Human Services (HHS) published a proposed rule establishing privacy standards for health information. The text, available at, includes a lengthy preamble, the draft regulations, and a preliminary regulatory impact analysis.

The background for the rule is complex. The Health Insurance Portability and Accountability Act, passed in 1996, contained several mandates to HHS. HIPAA was intended to facilitate electronic exchange of health information. HHS has already issued proposed standards that lay the foundation for expansion. In addition, HIPAA directed HHS to submit recommendations to Congress concerning privacy issues. HIPAA provided that if Congress failed to enact privacy legislation before August 21, 1999—and it has failed to do so—HHS should itself issue privacy standards by February 21, 2000.

The introduction to the proposed rule makes the case for regulation. Privacy is important because people value it and because a lack of privacy protections impairs the efficiency and effectiveness of the health care system. In September 1999, a Wall Street Journal/CBS poll asked Americans what concerned them most in the coming century. Those surveyed picked "loss of personal privacy" more often than any other issue. In a survey released in January 1999, one-sixth of respondents reported providing inaccurate information, changing physicians, avoiding care, or taking some other action to protect their privacy.

The philosophy behind the draft regulations is captured in two propositions: 1) the use and exchange of health information should be relatively easy for health care purposes, and relatively difficult for other purposes; 2) substantive and procedural regulations governing the entities that obtain, maintain, and transmit health information offer more meaningful privacy protection than pro forma authorization requirements. Standards such as scalability (covered entities are free to develop detailed policies and procedures tailored to their size and circumstances) and "minimum necessary" disclosure (no more information should be released than is absolutely necessary for the particular purpose) show a willingness to grant covered entities considerable discretion.

The basic rule is that covered entities may not use or disclose individually identifiable health information unless authorized by the individual or permitted under the regulations. Use and disclosure would be permitted, without authorization, to carry out treatment, payment, or health care operations. Each of these terms is broadly defined; the inclusion of "health care operations" is particularly controversial. The regulations would permit, but not require, disclosure without authorization for several categories of activities or purposes: public health; health oversight; judicial and administrative proceedings, coroners and medical examiners; law enforcement; intelligence and national security; health care fraud investigation; governmental health data systems; directory information; banking and payment processes; research; emergency situations; next-of-kin, other family member, or close personal friend; specialized classes of persons; and uses and disclosures required by other law. In many of these categories, some procedural safeguards would be imposed. Considerable debate is likely concerning the adequacy of these safeguards in areas such as law enforcement and research.

In all other cases, a disclosure or use would only be permissible with an authorization from the individual. Examples cited include use for marketing and disclosure by sale. Authorizations would have to meet a number of requirements, and a model authorization form is included as an appendix to the regulations. Importantly, a covered entity would not be permitted to condition treatment or payment on the provision of a requested authorization, except in the context of a clinical trial.

Individual rights to notice and access are another piece of the framework. Covered entities would be required to provide notice of their privacy policies and procedures upon request and at specified intervals. The basic right of access would include a right to inspect and obtain a copy of one’s protected health information. An individual would also have a right to an accounting of all disclosures of protected health information made by a covered entity, except for disclosures for treatment, payment, and health care operations (and, in some circumstances, disclosures to health oversight or law enforcement agencies). Responses to a request for access or an accounting would be required within 30 days. In addition, an individual would have the right to request a health plan or health care provider to amend or correct protected health information. A response would be required within 60 days.

The draft regulations provide that a standard, requirement, or implementation specification that is contrary to a provision of state law preempts the state law provision, unless the Secretary of HHS makes a determination that the provision is necessary for certain priority purposes (e.g., prevention of fraud and abuse), or the provision relates to disease or injury reporting or other specified public health functions, or the provision relates to the privacy of health information and is more stringent than the federal regulations. In general, then, the regulations establish a floor rather than a ceiling for privacy protection. States are free to fill in the gaps in the federal regulatory framework or offer additional protections.

The proposed rule contains a plea for Congress to continue work on comprehensive health privacy legislation, since the drafters of the proposed rule believe the HIPAA grant of authority has significant limitations. For example, HHS indicates that information that is neither maintained nor transmitted electronically would not be protected. (Once information is put in electronic form, the draft regulations would protect it through all subsequent transformations.) Also, HHS believes it lacks the authority to create a private right of action for individuals whose privacy rights are violated. Individuals would have the right to file complaints with any covered entity and/or with the Secretary.

The preliminary regulatory impact analysis puts the cost of implementing the proposed rule at between $1.8 and 6.3 billion over five years. Over half of the cost would be associated with the provision that requires covered entities to establish a procedure for amendment and correction of records. A study sponsored by the Blue Cross and Blue Shield Association has estimated the cost at $43 billion.

Comments on the proposed rule are due January 3, 2000. Comments may be submitted electronically at Although the rule is to be finalized in February, covered entities would have at least two years to achieve compliance.