Texas Medical Center — Houston, Texas   —   TMC NEWS
  Vol. 21, No. 23 Previous Table of Contents Home Next December 15, 1999 

The University of Houston Law Center
Institute of Health Law and Policy

Proposed Privacy Standards: Background and Overview

by Mary R. Anderlik
Research Professor

Part 2 of 2

The Office of the Secretary of Health and Human Services has published a proposed rule establishing privacy standards for health information. The text of the proposed rule can be found at the website http://aspe.hhs.gov/admnsimp. The first part of this column appeared in the Dec. 1 issue of the TMC News.

Individual rights to notice and access are another piece of the framework. Covered entities would be required to provide notice of their privacy policies and procedures upon request and at specified intervals. The basic right of access would include a right to inspect and obtain a copy of one's protected health information. An individual would also have a right to an accounting of all disclosures of protected health information made by a covered entity, except for disclosures for treatment, payment, and health care operations (and, in some circumstances, disclosures to health oversight or law enforcement agencies). Responses to a request for access or an accounting would be required within 30 days. In addition, an individual would have the right to request a health plan or health care provider to amend or correct protected health information. A response would be required within 60 days.

The draft regulations provide that a standard, requirement, or implementation specification that is contrary to a provision of state law preempts the state law provision, unless the Secretary of HHS makes a determination that the provision is necessary for certain priority purposes (e.g., prevention of fraud and abuse), or the provision relates to disease or injury reporting or other specified public health functions, or the provision relates to the privacy of health information and is more stringent than the federal regulations. In general, then, the regulations establish a floor rather than a ceiling for privacy protection. States are free to fill in the gaps in the federal regulatory framework or offer additional protections.

The proposed rule contains a plea for Congress to continue work on comprehensive health privacy legislation, since the drafters of the proposed rule believe the HIPAA grant of authority has significant limitations. For example, HHS indicates that information that is neither maintained nor transmitted electronically would not be protected. (Once information is put in electronic form, the draft regulations would protect it through all subsequent transfor- mations.) Also, HHS believes it lacks the authority to create a private right of action for individuals whose privacy rights are violated. Individuals would have the right to file complaints with any covered entity and/or with the Secretary.

The preliminary regulatory impact analysis puts the cost of implementing the proposed rule at between $1.8 billion and $6.3 billion over five years. Over half of the cost would be associated with the provision that requires covered entities to establish a procedure for amendment and correction of records. A study sponsored by the Blue Cross and Blue Shield Association has estimated the cost at $43 billion.

Comments on the proposed rule are due January 3, 2000. Comments may be submitted electronically at http://aspe.hhs.gov/admnsimp. Although the rule is to be finalized in February, covered entities would have at least two years to achieve compliance.

The views expressed in the articles in Health Law Perspectives are those of their respective authors. The articles do not necessarily reflect the views of the University of Houston or the Health Law and Policy Institute.

Previous Table of Contents Home Next
©2006 Texas Medical Center
E-Mail: tmc-info@tmc.edu
URL: http://www.tmc.edu/tmcnews/12_15_99/page_24.html