Texas Medical Center — Houston, Texas   —   TMC NEWS
  Vol. 21, No. 22 Previous Table of Contents Home Next December 1, 1999 

The University of Houston Law Center
Institute of Health Law and Policy

Proposed Privacy Standards: Background and Overview

by Mary R. Anderlik
Research Professor

Part 1 of 2

In the November 3, 1999, Federal Register, the Office of the Secretary of Health and Human Services (HHS) published a proposed rule establishing privacy standards for health information. The text, available at http://aspe.hhs.gov/admnsimp, includes a lengthy preamble, the draft regulations, and a preliminary regulatory impact analysis.

The background for the rule is complex. The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, contained several mandates to HHS. HIPAA was intended to facilitate electronic exchange of health information. HHS has already issued proposed standards that lay the foundation for expansion. In addition, HIPAA directed HHS to submit recommendations to Congress concerning privacy issues. HIPAA provided that if Congress failed to enact privacy legislation before August 21, 1999 - and it has failed to do so - HHS should itself issue privacy standards by February 21, 2000.

The introduction to the proposed rule makes the case for regulation. Privacy is important because people value it and because a lack of privacy protections impairs the efficiency and effectiveness of the health care system. In September 1999, a Wall Street Journal/CBS poll asked Americans what concerned them most in the coming century. Those surveyed picked "loss of personal privacy" more often than any other issue. In a survey released in January 1999, one-sixth of respondents reported providing inaccurate information, changing physicians, avoiding care, or taking some other action to protect their privacy.

The philosophy behind the draft regulations is captured in two propositions: 1) the use and exchange of health information should be relatively easy for health care purposes, and relatively difficult for other purposes; 2) substantive and procedural regulations governing the entities that obtain, maintain, and transmit health information offer more meaningful privacy protection than pro forma authorization requirements. Standards such as scalability (covered entities are free to develop detailed policies and procedures tailored to their size and circumstances) and "minimum necessary" disclosure (no more information should be released than is absolutely necessary for the particular purpose) show a willingness to grant covered entities considerable discretion.

The basic rule is that covered entities may not use or disclose individually identifiable health information unless authorized by the individual or permitted under the regulations. Use and disclosure would be permitted, without authorization, to carry out treatment, payment, or health care operations. Each of these terms is broadly defined; the inclusion of "health care operations" is particularly controversial. The regulations would permit, but not require, disclosure without authorization for several categories of activities or purposes: public health; health oversight; judicial and administrative proceedings, coroners and medical examiners; law enforcement; intelligence and national security; health care fraud investigation; governmental health data systems; directory information; banking and payment processes; research; emergency situations; next-of-kin, other family member, or close personal friend; specialized classes of persons; and uses and disclosures required by other law. In many of these categories, some procedural safeguards would be imposed. Considerable debate is likely concerning the adequacy of these safeguards in areas such as law enforcement and research.

In all other cases, a disclosure or use would only be permissible with an authorization from the individual. Examples cited include use for marketing and disclosure by sale. Authorizations would have to meet a number of requirements, and a model authorization form is included as an appendix to the regulations. Importantly, a covered entity would not be permitted to condition treatment or payment on the provision of a requested authorization, except in the context of a clinical trial.

Comments on the proposed rule are due January 3, 2000. Comments may be submitted electronically at www.aspe.hhs.gov/ admnsimp. Although the rule is to be finalized in February, covered entities would have at least two years to achieve compliance.

(To be continued in the next issue)

The views expressed in the articles in Health Law Perspectives are those of their respective authors. The articles do not necessarily reflect the views of the University of Houston or the Health Law and Policy Institute.

Previous Table of Contents Home Next
©2006 Texas Medical Center
E-Mail: tmc-info@tmc.edu
URL: http://www.tmc.edu/tmcnews/12_01_99/page_07.html