ÿWPCà  å&úÜG“E,J'yBŸV–U¼r†Øª¥_qŒ ¯¥Œëz“>JXd Õê¨_ÂÓ¶Ž  øZÑp~¸d(ÔÆ'ú*˜ø©9•ƒT¸Ï]v#’!”ç†»ë ‚ÓvÊ&Fì?ÌÏ¿ÄpÀè`0-ƒf—Ë•–l^Æ|3wºgfήjÂò",hÕ„Œ)‹èš¾©Vq.ž¬û7PÑtoQ$ʆFûF1¬,cñÐWM(—,hAiw-õíåix{ðOÃ^D¼Üû鈜šòÓëåN†×ZÆ“õR˜Ü/ÐôÑMÀ`f9=`Ë›9ö©S⬣󇺿77x#ÒnëU ÄC… ÙÔ©žQÈ–iW¬^ïúp$iXƒžÿÝ?nꑤÿ7©r¬râË1fS´·õ$}±| 0 À‚ /û!ºí7Ø'Á uÒ©ØC +žzTSu¹R€’C·pñ à :åÍL‹`ke"ìÅ]À0¦ñ"×Qj ¾1žrÕFrw½ÄÚ™ZóÒ0UðGj›lKŽ¶¨¹­/_L¨­æ 2¹“WŽ¾"*+Ã]gYÁòñ­)Lw¦ÄUæ–½{9ý0ð®”¿tpxx?G~r4¿H·"!Mš›×f"y×+ 0ÃZr BE¬<®_êjì 1oV:Å_ÿ,_-^/_\_ë(í_ m#Á.U Nï %= NC ~E ¶Ã 0=Œy B> 0ŒC 0 ŒÏ 0Œ[ 0Nç 1o5 72¤ 0 Ö D-ñUF> 72\^ Žwš4ž²Á(›$¡¡ÔUSUS.,ÔÓK€#(€X°KÓÔ€$Xò¥XXXÔÔ€$Xò¥XXXò¥ÔrFinal Privacy Rule Preamble - Background and Purpose dhttp://aspe.hhs.gov/admnsimp/http://www.access.gpo.gov/su_docs/aces/ aces140.html3Úµ37=CIOU[a³³1.1.1.1.1.1.1.1.http://www.healthprivacy.orghttp://www.pandab.orghttp://www.epic.org/privacy/medical/polls.htmlhttp://www.epic.org/privacy/medical/poll.htmlhttp://www.chcf.orgÿU‹ÿÿÿÿ˜0&Öd9 Z‹6Times New Roman RegularX˜C:\PROGRA~1\Corel\WORDPE~1\Template\CUSTOM~1\Web\wp9web.wptC:\Program Files\Corel\WordPerfect Office 2000\Template\Custom WP Templates\Web\wp9web.wpt(/"Zj$ÇÇÔ€XþðXXXÔò òÔ  ÔÔ Ô"ÔÔ€XþðXXXÔó ó:web3dhrz160 €€€d ÿÿÿd(/"ú¬$ÄÄÔ€°V°XXÔò òÔ  ÔÔ Ô"ÔÔ€°V°XXÔó ó(/"'à$ÅÅÔ€„Ú„XXÔò òÔ  ÔÔ Ô"ÔÔ€„Ú„XXÔó ó(/"CÔ$ÆÆÔ€¼4Ý»XXÔò òÔ  ÔÔ Ô"ÔÔ€¼4Ý»XXÔó ó(›$——ÔÿÔòòÔÿÔóó3zµ37=CIOU[a­­1.1.1.1.1.1.1.1. 1.(SMSä\$´´Ó5€°5ÓÓ xð°œXÓà’’ (àÔ2ÚµÔÚ  Ú0Ú  Ú.Ô3  Ôà0   àÓ5€°5ÓÓ xð°œXÓ)!ÈÈÈÈdxdx&Öd9 Z‹&Times New Roman1.¢†A* ”P(*ê:i¢×+003|xÝ ƒ!ÝÔUSUS.,ÔÓK€#(€XKÓÔ€$XþðXXXÔÔ€$XþðXX$XþðÔÝ  ÝÔ_ÔÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjÆÝÝ  Ý[Federal€Register:€December€28,€2000€(Volume€65,€Number€250)]݃ZjÆÝÔ ÔøԌРÜÜ ÐŒÔ€$XþðXX$XþðÔó óÝ  ÝÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjÙÝÝ  Ý[Rules€and€Regulations]݃ZjÙ#ÝÔ Ô ÔŒÐ ²² ЌԀ$XþðXX$XþðÔó óÝ  ÝÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjÆÝÝ  Ý[Page€82461-82510]݃ZjÆÝÔ ÔøԌРˆˆ ЌԀ$XþðXX$XþðÔó óÝ  ÝÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zj®ÝÝ  Ý[DOCID:fr28de00-29]݃Zj®øÝÔ ÔàԌР^^ ЌԀ$XþðXX$XþðÔó óÝ  ÝBILLING€CODE:€4150-04MÐ 44 ÐßA€) °°xdtEx–  2AßÐ . .  ÐÝ‚ú¬DÝÔ€$°V°X$XþðÔò òÔ  ÔÝ  ÝÝ‚ú¬ÝÝ  ÝDEPARTMENT€OF€HEALTH€AND€HUMAN€SERVICES݃ú¬cÝÔ ÔKԌРú ú  ЌԀ$XþðX°$°VÔó óÝ  ÝÝ‚'àEÝÔ€$„Ú„X$XþðÔò òÔ  ÔÝ  ÝÝ‚'àÝÝ  ÝOffice€of€the€Secretary݃'à`ÝÔ ÔHԌР¥ ¥  ЌԀ$XþðX„$„ÚÔó óÝ  ÝÝ‚'àEÝÔ€$„Ú„X$XþðÔò òÔ  ÔÝ  ÝÝ‚'àÝÝ  Ý45€CFR€Parts€160€through€164݃'àMÝÔ Ô5ԌРÓÓ ÐŒÔ€$XþðX„$„ÚÔó óÝ  ÝÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔõÝÝ  ÝRin:€0991-AB08݃CÔõ?ÝÔ Ô'ԌР  ЌԀ$XþðX»$¼4ÝÔó óÝ  ÝÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔÙÝÝ  ÝStandards€for€Privacy€of€Individually€Identifiable€Health€Information݃CÔÙ# ÝÔ Ô ÔŒÐ ýý  ЌԀ$XþðX»$¼4ÝÔó óÝ  Ýò òAGENCY:ó ó€Office€of€the€Assistant€Secretary€for€Planning€and€Evaluation,€DHHS.Ð ùù  Ðò òACTION:ó ó€Final€rule.Ð ÏÏ  ÐßA€) °°xdtEx1 2AßÐ ÉÉ  Ðò òSUMMARY:ó ó€This€rule€includes€standards€to€protect€the€privacy€of€individually€identifiable€health€information.€The€rules€below,€which€apply€to€health€plans,€health€careÐ •• Ðclearinghouses,€and€certain€health€care€providers,€present€standards€with€respect€to€the€rights€of€individuals€who€are€the€subjects€of€this€information,€procedures€for€theÐ  Ðexercise€of€those€rights,€and€the€authorized€and€required€uses€and€disclosures€of€this€information.Ð ‰‰ ÐThe€use€of€these€standards€will€improve€the€efficiency€and€effectiveness€of€public€and€private€health€programs€and€health€care€services€by€providing€enhanced€protectionsÐ __ Ðfor€individually€identifiable€health€information.€These€protections€will€begin€to€address€growing€public€concerns€that€advances€in€electronic€technology€and€evolution€in€theÐ YY Ðhealth€care€industry€are€resulting,€or€may€result,€in€a€substantial€erosion€of€the€privacy€surrounding€individually€identifiable€health€information€maintained€by€health€careÐ S S  Ðproviders,€health€plans€and€their€administrative€contractors.€This€rule€implements€the€privacy€requirements€of€the€Administrative€Simplification€subtitle€of€the€HealthÐ M!M! ÐInsurance€Portability€and€Accountability€Act€of€1996.Ð G"G" ÐDATES:€The€final€rule€is€effective€on€February€26,€2001.Ð $$ ÐFOR€FURTHER€INFORMATION€CONTACT:€Kimberly€Coleman,€1-866-OCR-PRIV€(1-866-627-7748)€or€TTY€1-866-788-4989.Ð ó%ó% ÐßA€) °°xdtExU' 2AßÐ í&í& ÐÝ‚ú¬DÝÔ€$°V°X$XþðÔò òÔ  ÔÝ  ÝÝ‚ú¬DÝÝ  ÝSUPPLEMENTARY€INFORMATION:݃ú¬DŽÝÔ ÔvԌР¹(¹( ЌԀ$XþðX°$°VÔó óÝ  ÝÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔ4ÝÝ  ÝAvailability€of€copies,€and€electronic€access.݃CÔ4~ÝÔ ÔfԌРd+d+ ЌԀ$XþðX»$¼4ÝÔó óÝ  Ýò òCopies:ó ó€To€order€copies€of€the€ò òFederal€Registeró ó€containing€this€document,€send€your€request€to:€New€Orders,€Superintendent€of€Documents,€P.O.€Box€371954,Ð `-`- ÐPittsburgh,€PA€15250-7954.€Specify€the€date€of€the€issue€requested€and€enclose€a€check€or€money€order€payable€to€the€Superintendent€of€Documents,€or€enclose€yourÐ Z.Z. ÐVisa€or€Master€Card€number€and€expiration€date.€Credit€card€orders€can€also€be€placed€by€calling€the€order€desk€at€(202)€512-1800€or€by€fax€to€(202)€512-2250.€TheÐ T/T/ Ðcost€for€each€copy€is€$8.00.€As€an€alternative,€you€can€view€and€photocopy€the€ò òFederal€Registeró ódocument€at€most€libraries€designated€as€Federal€Depository€LibrariesÐ N0N0 Ðâ âand€at€many€other€public€and€academic€libraries€throughout€the€country€that€receive€the€ò òFederal€Registeró ó.Ð H1H1 Ðò òElectronic€Access:ó ó€This€document€is€available€electronically€at€Ô4‚Ý ÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ôhttp://aspe.hhs.gov/admnsimp/Ô6òÔÝ‚›ƒÝÔÿÔóóÝ  ÝÔ7Ý 6Ô€as€well€as€at€the€web€site€of€the€Government€Printing€Office€atÐ ÜÜ Ðâ âÔ4‚Ý ÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ôhttp://www.access.gpo.gov/su_docs/aces/€aces140.htmlÔ6ÔÝ‚›'ƒÝÔÿÔóóÝ  ÝÔ7Ý UÔ€.Ð ÖÖ ÐßA€) °°xdtEx8 2AßÐ ÐÐ ÐÝ‚'àEÝÔ€$„Ú„X$XþðÔò òÔ  ÔÝ  ÝÝ‚'àXÝÝ  ÝI.€BACKGROUND݃'àX¢ÝÔ ÔŠÔŒÐ œœ ЌԀ$XþðX„$„ÚÔó óÝ  ÝÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔ;ÝÝ  ÝTable€of€Contents݃CÔ;…ÝÔ ÔmԌРÊÊ ÐŒÔ€$XþðX»$¼4ÝÔó óÝ  Ýðð€160.101€Statutory€basis€and€purpose.Ð ÆÆ Ððð€160.102€Applicability.Ð œ œ  Ððð€160.103€Definitions.Ð r r  Ððð€160.104€Modifications.Ð HH Ððð€160.201€ApplicabilityÐ   Ððð€160.202€Definitions.Ð ôô  Ððð€160.203€General€rule€and€exceptions.Ð ÊÊ  Ððð€160.204€Process€for€requesting€exception€determinations.Ð     Ððð€160.205€Duration€of€effectiveness€of€exception€determinations.Ð vv  Ððð€160.300€Applicability.Ð LL Ððð€160.302€Definitions.Ð "" Ððð€160.304€Principles€for€achieving€compliance.(a)€Cooperation.Ð øø Ð(b)€Assistance.ðð€160.306€Complaints€to€the€Secretary.(a)€Right€to€file€a€complaint.Ð ÎÎ Ð(b)€Requirements€for€filing€complaints.Ð ¤ ¤  Ð(c)€Investigation.ðð€160.308€Compliance€reviews.Ð z"z" Ððð€160.310€Responsibilities€of€covered€entities.(a)€Provide€records€and€compliance€reports.Ð P$P$ Ð(b)€Cooperate€with€complaint€investigations€and€compliance€reviews.Ð &&&& Ð(c)€Permit€access€to€information.ðð€160.312€Secretarial€action€regarding€complaints€and€compliance€reviews.(a)€Resolution€where€noncompliance€is€indicated.Ð ü'ü' Ð(b)€Resolution€when€no€violation€is€found.ðð€164.102€Statutory€basis.Ð Ò)Ò) Ððð€164.104€Applicability.Ð ¨+¨+ Ððð€164.106€Relationship€to€other€parts.Ð ~-~- Ððð€164.500€Applicability.Ð T/T/ Ðâ âðð€164.501€Definitions.Ð *1*1 Ððð€164.502€Uses€and€disclosures€of€protected€health€information:€general€rules.(a)€Standard.Ð ÜÜ Ðâ â(b)€Standard:€minimum€necessary.Ð ²² Ð(c)€Standard:€uses€and€disclosures€of€protected€health€information€subject€to€an€agreed€upon€restriction.Ð ˆˆ Ð(d)€Standard:€uses€and€disclosures€of€de-identified€protected€health€information.Ð ^^ Ð(e)€Standard:€disclosures€to€business€associates.Ð 44 Ð(f)€Standard:€deceased€individuals.Ð   Ð(g)€Standard:€personal€representatives.Ð à à  Ð(h)€Standard:€confidential€communications.Ð ¶ ¶  Ð(i)€Standard:€uses€and€disclosures€consistent€with€notice.Ð ŒŒ Ð(j)€Standard:€disclosures€by€whistleblowers€and€workforce€member€crime€victims.ðð€164.504€Uses€and€disclosures:€organizational€requirements.(a)€Definitions.Ð bb  Ð(b)€Standard:€health€care€component.Ð 88  Ð(c)€Implementation€specification:€application€of€other€provisions.Ð   Ð(d)€Standard:€affiliated€covered€entities.Ð ää  Ð(e)€Standard:€business€associate€contracts.Ð ºº  Ð(f)€Standard:€requirements€for€group€health€plans.Ð  Ð(g)€Standard:€requirements€for€a€covered€entity€with€multiple€covered€functions.ðð€164.506€Consent€for€uses€or€disclosures€to€carry€out€treatment,€payment,€or€health€careÐ ff Ðoperations.(a)€Standard:€consent€requirement.Ð `` Ð(b)€Implementation€specifications:€general€requirements.Ð 66 Ð(c)€Implementation€specifications:€content€requirements.Ð  ! ! Ð(d)€Implementation€specifications:€defective€consents.Ð â"â" Ð(e)€Standard:€resolving€conflicting€consents€and€authorizations.Ð ¸$¸$ Ð(f)€Standard:€joint€consents.ðð164.508€Uses€and€disclosures€for€which€an€authorization€is€required.(a)€Standard:€authorizations€for€uses€and€disclosures.Ð Ž&Ž& Ð(b)€Implementation€specifications:€general€requirements.Ð d(d( Ð(c)€Implementation€specifications:€core€elements€and€requirements.Ð :*:* Ð(d)€Implementation€specifications:€authorizations€requested€by€a€covered€entity€for€its€own€uses€and€disclosures.Ð ,, Ð(e)€Implementation€specifications:€authorizations€requested€by€a€covered€entity€for€disclosures€by€others.Ð æ-æ- Ð(f)€Implementation€specifications:€authorizations€for€uses€and€disclosures€of€protected€health€information€created€for€research€that€includes€treatment€of€the€individual.ððÐ ¼/¼/ Ð164.510€Uses€and€disclosures€requiring€an€opportunity€for€the€individual€to€agree€or€to€object.(a)€Standard:€use€and€disclosure€for€facility€directories.Ð ¶0¶0 Ð(b)€Standard:€uses€and€disclosures€for€involvement€in€the€individual's€care€and€notification€purposes.ðð€164.512€Uses€and€disclosures€for€which€consent,€an€authorization,Ð Œ2Œ2 Ðor€opportunity€to€agree€or€object€is€not€required.(a)€Standard:€uses€and€disclosures€required€by€law.Ð ÜÜ Ð(b)€Standard:€uses€and€disclosures€for€public€health€activities.Ð ²² Ð(c)€Standard:€disclosures€about€victims€of€abuse,€neglect€or€domestic€violence.Ð ˆˆ Ð(d)€Standard:€uses€and€disclosures€for€health€oversight€activities.Ð ^^ Ð(e)€Standard:€disclosures€for€judicial€and€administrative€proceedings.Ð 44 Ð(f)€Standard:€disclosures€for€law€enforcement€purposes.Ð   Ð(g)€Standard:€uses€and€disclosures€about€decedents.Ð à à  Ð(h)€Standard:€uses€and€disclosures€for€cadaveric€organ,€eye€or€tissue€donation€purposes.Ð ¶ ¶  Ð(i)€Standard:€uses€and€disclosures€for€research€purposes.Ð ŒŒ Ð(j)€Standard:€uses€and€disclosures€to€avert€a€serious€threat€to€health€or€safety.Ð bb  Ð(k)€Standard:€uses€and€disclosures€for€specialized€government€functions.Ð 88  Ð(l)€Standard:€disclosures€for€workers'€compensation.ðð€164.514€Other€requirements€relating€to€uses€and€disclosures€of€protected€health€information.(a)€Standard:Ð   Ðde-identification€of€protected€health€information.Ð   Ð(b)€Implementation€specifications:€requirements€for€de-identification€of€protected€health€information.Ð ÞÞ  Ð(c)€Implementation€specifications:€re-identification.Ð ´´ Ð(d)€Standard:€minimum€necessary€requirements.Ð ŠŠ Ð(e)€Standard:€uses€and€disclosures€of€protected€health€information€for€marketing.Ð `` Ð(f)€Standard:€uses€and€disclosures€for€fundraising.Ð 66 Ð(g)€Standard:€uses€and€disclosures€for€underwriting€and€related€purposes.Ð  ! ! Ð(h)€Standard:€verification€requirementsðð€164.520€Notice€of€privacy€practices€for€protected€health€information.(a)€Standard:€notice€of€privacy€practices.Ð â"â" Ð(b)€Implementation€specifications:€content€of€notice.Ð ¸$¸$ Ð(c)€Implementation€specifications:€provision€of€notice.Ð Ž&Ž& Ð(d)€Implementation€specifications:€joint€notice€by€separate€covered€entities.Ð d(d( Ð(e)€Implementation€specifications:€documentation.ðð€164.522€Rights€to€request€privacy€protection€for€protected€health€information.(a)€Standard:€right€of€an€individual€toÐ :*:* Ðrequest€restriction€of€uses€and€disclosures.Ð 4+4+ Ð(b)€Standard:€confidential€communications€requirements.ðð€164.524€Access€of€individuals€to€protected€health€information.(a)€Standard:€access€to€protected€healthÐ  - - Ðinformation.Ð .. Ð(b)€Implementation€specifications:€requests€for€access€and€timely€action.Ð Ú/Ú/ Ð(c)€Implementation€specifications:€provision€of€access.Ð °1°1 Ð(d)€Implementation€specifications:€denial€of€access.Ð ÜÜ Ð(e)€Implementation€specification:€documentation.ðð€164.526€Amendment€of€protected€health€information.(a)€Standard:€right€to€amend.Ð ²² Ð(b)€Implementation€specifications:€requests€for€amendment€and€timely€action.Ð ˆˆ Ð(c)€Implementation€specifications:€accepting€the€amendment.Ð ^^ Ð(d)€Implementation€specifications:€denying€the€amendment.Ð 44 Ð(e)€Implementation€specification:€actions€on€notices€of€amendment.Ð   Ð(f)€Implementation€specification:€documentation.ðð€164.528€Accounting€of€disclosures€of€protected€health€information.(a)€Standard:€right€to€an€accounting€of€disclosures€ofÐ à à  Ðprotected€health€information.Ð Ú Ú  Ð(b)€Implementation€specifications:€content€of€the€accounting.Ð °° Ð(c)€Implementation€specifications:€provision€of€the€accounting.Ð ††  Ð(d)€Implementation€specification:€documentation.ðð€164.530€Administrative€requirements.(a)€Standard:€personnel€designations.Ð \\  Ð(b)€Standard:€training.Ð 22  Ð(c)€Standard:€safeguards.Ð   Ð(d)€Standard:€complaints€to€the€covered€entity.Ð ÞÞ  Ð(e)€Standard:€sanctionsÐ ´´ Ð(f)€Standard:€mitigation.Ð ŠŠ Ð(g)€Standard:€refraining€from€intimidating€or€retaliatory€acts.Ð `` Ð(h)€Standard:€waiver€of€rights.Ð 66 Ð(i)€Standard:€policies€and€procedures.Ð  ! ! Ð(j)€Standard:€documentation.Ð â"â" Ð(k)€Standard:€group€health€plans.ðð€164.532€Transition€provisions.(a)€Standard:€effect€of€prior€consents€and€authorizations.Ð ¸$¸$ Ð(b)€Implementation€specification:€requirements€for€retaining€effectiveness€of€prior€consents€and€authorizations.ðð€164.534€Compliance€dates€for€initial€implementation€of€theÐ Ž&Ž& Ðprivacy€standards.(a)€Health€care€providers.Ð ˆ'ˆ' Ð(b)€Health€plans.Ð ^)^) Ð(c)€Health€care€clearinghouses.Ð 4+4+ ÐßA€) °°xdtEx–, 2AßÐ .,., ÐÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔÿ@ÝÝ  ÝPurpose€of€the€Administrative€Simplification€Regulations݃CÔÿ@IAÝÔ Ô1AԌРú-ú- ЌԀ$XþðX»$¼4ÝÔó óÝ  ÝThis€regulation€has€three€major€purposes:Ð ö/ö/ ÐÓ€ (Úµ33ÓÝ"‚"ä\"ÝÓ5€ð0ð0ÜÜ5ÓÓ xð°œXÓÝ  ÝÝ‚"ä\ÌBÝàZZðàÔ2ÚµÔÚ  Ú1Ú  Ú.Ô3  Ôˆà0 h àÝ  Ýto€protect€and€enhance€the€rights€of€consumers€by€providing€them€access€to€their€health€information€and€controlling€the€inappropriate€use€of€that€information;݃"ä\ÌBLCÝŒÐð0ð0h„2h„2 ÐŒÓR€#/€Xmádê1ê1RÓÓ °œXxðÓÝ  ÝÝ"‚"ä\"ÝÓ5€Æ2Æ2ÜÜ5ÓÓ xð°œXÓÝ  ÝÝ‚"ä\ EÝàZZðàÔ2ÚµÔÚ  Ú2Ú  Ú.Ô3  Ôˆà0 h àÝ  Ýto€improve€the€quality€of€health€care€in€the€U.S.€by€restoring€trust€in€the€health€care€system€among€consumers,€health€care€professionals,€and€the€multitude€ofÐ ê1ê1 Ðorganizations€and€individuals€committed€to€the€delivery€of€care;€and݃"ä\ E‰EÝŒÐh„2h„2 ÐŒÓR€#/€XmádúúRÓÓ °œXxðÓÝ  ÝÝ"‚"ä\"ÝÓ5€ÖÖÜÜ5ÓÓ xð°œXÓÝ  ÝÝ‚"ä\ GÝàZZðàÔ2ÚµÔÚ  Ú3Ú  Ú.Ô3  Ôˆà0 h àÝ  Ýto€improve€the€efficiency€and€effectiveness€of€health€care€delivery€by€creating€a€national€framework€for€health€privacy€protection€that€builds€on€efforts€by€states,€healthÐ úú Ðsystems,€and€individual€organizations€and€individuals.݃"ä\ G HÝŒÐôôh„2h„2 ÐŒÓR€#/€XmádîîRÓÓ °œXxðÓÝ  ÝThis€regulation€is€the€second€final€regulation€to€be€issued€in€the€package€of€rules€mandated€under€Title€II€Subtitle€F€Section€261-264€of€the€Health€Insurance€PortabilityÐ ÊÊ Ðand€Accountability€Act€of€1996€(HIPAA),€Public€Law€104-191,€titled€"Administrative€Simplification."€Congress€called€for€steps€to€improve€"the€efficiency€andÐ ÄÄ Ðeffectiveness€of€the€health€care€system€by€encouraging€the€development€of€a€health€information€system€through€the€establishment€of€standards€and€requirements€for€theÐ ¾¾ Ðelectronic€transmission€of€certain€health€information."€To€achieve€that€end,€Congress€required€the€Department€to€promulgate€a€set€of€interlocking€regulations€establishingÐ ¸¸ Ðstandards€and€protections€for€health€information€systems.€The€first€regulation€in€this€set,€Standards€for€Electronic€Transactions€65€FR€50312,€was€published€on€August€17,Ð ²² Ð2000€(the€"Transactions€Rule").€This€regulation€establishing€Standards€for€Privacy€of€Individually€Identifiable€Health€Information€is€the€second€final€rule€in€the€package.€AÐ ¬¬ Ðrule€establishing€a€unique€identifier€for€employers€to€use€in€electronic€health€care€transactions,€a€rule€establishing€a€unique€identifier€for€providers€for€such€transactions,€andÐ ¦ ¦  Ða€rule€establishing€standards€for€the€security€of€electronic€information€systems€have€been€proposed.€See€63€FR€25272€and€25320€(May€7,€1998);€63€FR€32784€(June€16,Ð      Ð1998);€63€FR€43242€(August€12,€1998).€Still€to€be€proposed€are€rules€establishing€a€unique€identifier€for€health€plans€for€electronic€transactions,€standards€for€claimsÐ š š  Ðattachments,€and€standards€for€transferring€among€health€plans€appropriate€standard€data€elements€needed€for€coordination€of€benefits.€(See€section€C,€below,€for€a€moreÐ ” ”  Ðdetailed€explanation€of€the€statutory€mandate€for€these€regulations.)Ð Ž Ž  ÐIn€enacting€HIPAA,€Congress€recognized€the€fact€that€administrative€simplification€cannot€succeed€if€we€do€not€also€protect€the€privacy€and€confidentiality€of€personalÐ dd Ðhealth€information.€The€provision€of€high-quality€health€care€requires€the€exchange€of€personal,€often-sensitive€information€between€an€individual€and€a€skilled€practitioner.Ð ^^ ÐVital€to€that€interaction€is€the€patient's€ability€to€trust€that€the€information€shared€will€be€protected€and€kept€confidential.€Yet€many€patients€are€concerned€that€theirÐ XX Ðinformation€is€not€protected.€Among€the€factors€adding€to€this€concern€are€the€growth€of€the€number€of€organizations€involved€in€the€provision€of€care€and€the€processingÐ RR Ðof€claims,€the€growing€use€of€electronic€information€technology,€increased€efforts€to€market€health€care€and€other€products€to€consumers,€and€the€increasing€ability€toÐ LL Ðcollect€highly€sensitive€information€about€a€person's€current€and€future€health€status€as€a€result€of€advances€in€scientific€research.Ð FF ÐRules€requiring€the€protection€of€health€privacy€in€the€United€States€have€been€enacted€primarily€by€the€states.€While€virtually€every€state€has€enacted€one€or€more€laws€toÐ  Ðsafeguard€privacy,€these€laws€vary€significantly€from€state€to€state€and€typically€apply€to€only€part€of€the€health€care€system.€Many€states€have€adopted€laws€that€protectÐ  Ðthe€health€information€relating€to€certain€health€conditions€such€as€mental€illness,€communicable€diseases,€cancer,€HIV/AIDS,€and€other€stigmatized€conditions.€AnÐ  Ðexamination€of€state€health€privacy€laws€and€regulations,€however,€found€that€"state€laws,€with€a€few€notable€exceptions,€do€not€extend€comprehensive€protections€toÐ    Ðpeople's€medical€records."€Many€state€rules€fail€to€provide€such€basic€protections€as€ensuring€a€patient's€legal€right€to€see€a€copy€of€his€or€her€medical€record.€See€HealthÐ  ÐPrivacy€Project,€"The€State€of€Health€Privacy:€An€Uneven€Terrain,"€Institute€for€Health€Care€Research€and€Policy,€Georgetown€University€(July€1999)€(Ô4‚  ÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  ÔÐ þþ Ðhttp://www.healthprivacy.orgÔ6ZÔÝ‚›¥Z°ÝÔÿÔóóÝ  ÝÔ7 ÓZÔ€)€(the€"Georgetown€Study").Ð øø ÐUntil€now,€virtually€no€federal€rules€existed€to€protect€the€privacy€of€health€information€and€guarantee€patient€access€to€such€information.€This€final€rule€establishes,€for€theÐ ÎÎ Ðfirst€time,€a€set€of€basic€national€privacy€standards€and€fair€information€practices€that€provides€all€Americans€with€a€basic€level€of€protection€and€peace€of€mind€that€isÐ ÈÈ Ðessential€to€their€full€participation€in€their€care.€The€rule€sets€a€floor€of€ground€rules€for€health€care€providers,€health€plans,€and€health€care€clearinghouses€to€follow,€inР Ðorder€to€protect€patients€and€encourage€them€to€seek€needed€care.€The€rule€seeks€to€balance€the€needs€of€the€individual€with€the€needs€of€the€society.€It€creates€aÐ ¼ ¼  Ðframework€of€protection€that€can€be€strengthened€by€both€the€federal€government€and€by€states€as€health€information€systems€continue€to€evolve.Ð ¶!¶! ÐÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔ=_ÝÝ  ÝNeed€for€a€National€Health€Privacy€Framework݃CÔ=_‡_ÝÔ Ôo_ԌРŒ#Œ#  ЌԀ$XþðX»$¼4ÝÔó óÝ  ÝÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zj?`ÝÝ  ÝòòThe€Importance€of€Privacyóó݃Zj?`‰`ÝÔ Ôq`ԌРˆ%ˆ%! ЌԀ$XþðXX$XþðÔó óÝ  ÝPrivacy€is€a€fundamental€right.€As€such,€it€must€be€viewed€differently€than€any€ordinary€economic€good.€The€costs€and€benefits€of€a€regulation€must,€of€course,€beÐ ^'^'" Ðconsidered€as€a€means€of€identifying€and€weighing€options.€At€the€same€time,€it€is€important€not€to€lose€sight€of€the€inherent€meaning€of€privacy:€it€speaks€to€our€individualÐ X(X(# Ðand€collective€freedom.Ð R)R)$ ÐA€right€to€privacy€in€personal€information€has€historically€found€expression€in€American€law.€All€fifty€states€today€recognize€in€tort€law€a€common€law€or€statutory€right€toÐ (+(+% Ðprivacy.€Many€states€specifically€provide€a€remedy€for€public€revelation€of€private€facts.€Some€states,€such€as€California€and€Tennessee,€have€a€right€to€privacy€as€a€matterÐ ",",& Ðof€state€constitutional€law.€The€multiple€historical€sources€for€legal€rights€to€privacy€are€traced€in€many€places,€including€Chapter€13€of€Alan€Westin's€òòPrivacy€andÐ --' ÐFreedomóóand€in€Ellen€Alderman€&€Caroline€Kennedy,€òòThe€Right€to€Privacyóó(1995).Ð ..( ÐThroughout€our€nation's€history,€we€have€placed€the€rights€of€the€individual€at€the€forefront€of€our€democracy.€In€the€Declaration€of€Independence,€we€asserted€theÐ ì/ì/) Ð"unalienable€right"€to€"life,€liberty€and€the€pursuit€of€happiness."€Many€of€the€most€basic€protections€in€the€Constitution€of€the€United€States€are€imbued€with€an€attempt€toÐ æ0æ0* Ðprotect€individual€privacy€while€balancing€it€against€the€larger€social€purposes€of€the€nation.Ð à1à1+ ÐTo€take€but€one€example,€the€Fourth€Amendment€to€the€United€States€Constitution€guarantees€that€"the€right€of€the€people€to€be€secure€in€their€persons,€houses,€papersÐ ÜÜ Ðand€effects,€against€unreasonable€searches€and€seizures,€shall€not€be€violated."€By€referring€to€the€need€for€security€of€"persons"€as€well€as€"papers€and€effects"€the€FourthÐ ÖÖ ÐAmendment€suggests€enduring€values€in€American€law€that€relate€to€privacy.€The€need€for€security€of€"persons"€is€consistent€with€obtaining€patient€consent€beforeÐ ÐÐ Ðperforming€invasive€medical€procedures.€The€need€for€security€in€"papers€and€effects"€underscores€the€importance€of€protecting€information€about€the€person,€contained€inÐ ÊÊ Ðsources€such€as€personal€diaries,€medical€records,€or€elsewhere.€As€is€generally€true€for€the€right€of€privacy€in€information,€the€right€is€not€absolute.€The€test€instead€is€whatÐ ÄÄ Ðconstitutes€an€"unreasonable"€search€of€the€papers€and€effects.Ð ¾¾ ÐThe€United€States€Supreme€Court€has€upheld€the€constitutional€protection€of€personal€health€information.€In€òòWhalen€v.€Roeóó,€429€U.S.€589€(1977),€the€Court€analyzed€aÐ ”” ÐNew€York€statute€that€created€a€database€of€persons€who€obtained€drugs€for€which€there€was€both€a€lawful€and€unlawful€market.€The€Court,€in€upholding€the€statute,Ð ŽŽ Ðrecognized€at€least€two€different€kinds€of€interests€within€the€constitutionally€protected€"zone€of€privacy."€"One€is€the€individual€interest€in€avoiding€disclosure€of€personalÐ ˆ ˆ  Ðmatters,"€such€as€this€regulation€principally€addresses.€This€interest€in€avoiding€disclosure,€discussed€in€òòWhalenóó€in€the€context€of€medical€information,€was€found€to€beÐ ‚ ‚  Ðdistinct€from€a€different€line€of€cases€concerning€"the€interest€in€independence€in€making€certain€kinds€of€important€decisions."Ð | |  ÐIndividuals'€right€to€privacy€in€information€about€themselves€is€not€absolute.€It€does€not,€for€instance,€prevent€reporting€of€public€health€information€on€communicableÐ R R  Ðdiseases€or€stop€law€enforcement€from€getting€information€when€due€process€has€been€observed.€But€many€people€believe€that€individuals€should€have€some€right€toÐ LL  Ðcontrol€personal€and€sensitive€information€about€themselves.€Among€different€sorts€of€personal€information,€health€information€is€among€the€most€sensitive.€Many€peopleÐ FF  Ðbelieve€that€details€about€their€physical€self€should€not€generally€be€put€on€display€for€neighbors,€employers,€and€government€officials€to€see.€Informed€consent€laws€placeÐ @@ Ðlimits€on€the€ability€of€other€persons€to€intrude€physically€on€a€person's€body.€Similar€concerns€apply€to€intrusions€on€information€about€the€person.Ð :: ÐMoving€beyond€these€facts€of€physical€treatment,€there€is€also€significant€intrusion€when€records€reveal€details€about€a€person's€mental€state,€such€as€during€treatment€forÐ  Ðmental€health.€If,€in€Justice€Brandeis'€words,€the€"right€to€be€let€alone"€means€anything,€then€it€likely€applies€to€having€outsiders€have€access€to€one's€intimate€thoughts,Ð    Ðwords,€and€emotions.€In€the€recent€case€of€òòJaffee€v.€Redmondóó,€116€S.Ct.€1923€(1996),€the€Supreme€Court€held€that€statements€made€to€a€therapist€during€a€counselingÐ  Ðsession€were€protected€against€civil€discovery€under€the€Federal€Rules€of€Evidence.€The€Court€noted€that€all€fifty€states€have€adopted€some€form€of€theÐ þþ Ðpsychotherapist-patient€privilege.€In€upholding€the€federal€privilege,€the€Supreme€Court€stated€that€it€"serves€the€public€interest€by€facilitating€the€appropriate€treatment€forÐ øø Ðindividuals€suffering€the€effects€of€a€mental€or€emotional€problem.€The€mental€health€of€our€citizenry,€no€less€than€its€physical€health,€is€a€public€good€of€transcendentÐ òò Ðimportance."Ð ìì ÐMany€writers€have€urged€a€philosophical€or€common-sense€right€to€privacy€in€one's€personal€information.€Examples€include€Alan€Westin,€òòPrivacy€and€Freedomóó€(1967)Р Ðand€Janna€Malamud€Smith,€òòPrivate€Matters:€In€Defense€of€the€Personal€Lifeóó€(1997).€These€writings€emphasize€the€link€between€privacy€and€freedom€and€privacy€andÐ ¼¼ Ðthe€"personal€life,"€or€the€ability€to€develop€one's€own€personality€and€self-expression.€Smith,€for€instance,€states:The€bottom€line€is€clear.€If€we€continually,€gratuitously,Ð ¶¶ Ðreveal€other€people's€privacies,€we€harm€them€and€ourselves,€we€undermine€the€richness€of€the€personal€life,€and€we€fuel€a€social€atmosphere€of€mutual€exploitation.€LetÐ °° Ðme€put€it€another€way:€Little€in€life€is€as€precious€as€the€freedom€to€say€and€do€things€with€people€you€love€that€you€would€not€say€or€do€if€someone€else€were€present.Ð ªª ÐAnd€few€experiences€are€as€fundamental€to€liberty€and€autonomy€as€maintaining€control€over€when,€how,€to€whom,€and€where€you€disclose€personal€material.€Id.€atÐ ¤¤ Ð240-241.In€1890,€Louis€D.€Brandeis€and€Samuel€D.€Warren€defined€the€right€to€privacy€as€"the€right€to€be€let€alone."€See€L.€Brandeis,€S.€Warren,€"The€Right€ToÐ ž ž  ÐPrivacy,"€4€Harv.L.Rev.€193.€More€than€a€century€later,€privacy€continues€to€play€an€important€role€in€Americans'€lives.€In€their€book,€òòThe€Right€to€Privacy,óó€(Alfred€A.Ð ˜!˜! ÐKnopf,€New€York,€1995)€Ellen€Alderman€and€Caroline€Kennedy€describe€the€importance€of€privacy€in€this€way:Privacy€covers€many€things.€It€protects€the€solitudeÐ ’"’" Ðnecessary€for€creative€thought.€It€allows€us€the€independence€that€is€part€of€raising€a€family.€It€protects€our€right€to€be€secure€in€our€own€homes€and€possessions,€assuredÐ Œ#Œ#  Ðthat€the€government€cannot€come€barging€in.€Privacy€also€encompasses€our€right€to€self-determination€and€to€define€who€we€are.€Although€we€live€in€a€world€of€noisyÐ †$†$! Ðself-confession,€privacy€allows€us€to€keep€certain€facts€to€ourselves€if€we€so€choose.€The€right€to€privacy,€it€seems,€is€what€makes€us€civilized.Or,€as€Cavoukian€andÐ €%€%" ÐTapscott€observed€the€right€of€privacy€is:€"the€claim€of€individuals,€groups,€or€institutions€to€determine€for€themselves€when,€how,€and€to€what€extent€information€aboutÐ z&z&# Ðthem€is€communicated."€See€A.€Cavoukian,€D.€Tapscott,€"Who€Knows:€Safeguarding€Your€Privacy€in€a€Networked€World,"€Random€House€(1995).Ð t't'$ ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjbÝÝ  ÝòòIncreasing€Public€Concern€About€Loss€of€Privacyóó݃Zjb¬ÝÔ Ô”ÔŒÐ J)J)% ЌԀ$XþðXX$XþðÔó óÝ  ÝToday,€it€is€virtually€impossible€for€any€person€to€be€truly€"let€alone."€The€average€American€is€inundated€with€requests€for€information€from€potential€employers,€retailÐ  + +& Ðshops,€telephone€marketing€firms,€electronic€marketers,€banks,€insurance€companies,€hospitals,€physicians,€health€plans,€and€others.€In€a€1998€national€survey,€88€percentÐ ,,' Ðof€consumers€said€they€were€"concerned"€by€the€amount€of€information€being€requested,€including€55€percent€who€said€they€were€"very€concerned."€See€Privacy€andÐ --( ÐAmerican€Businessòò,€1998€Privacy€Concerns€&€Consumer€Choice€Survey€óó(Ô4‚ ÐŒÔÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ô€http://www.pandab.orgÔ6è„ÔÝ‚›þ„afegÝÔÿÔóóÝ  ÝÔ7s:€S,…Ô€)€These€worries€are€not€just€theoretical.€Consumers€who€use€theÐ ..) ÐInternet€to€make€purchases€or€request€"free"€information€often€are€asked€for€personal€and€financial€information.€Companies€making€such€requests€routinely€promise€toÐ //* Ðprotect€the€confidentiality€of€that€information.€Yet€several€firms€have€tried€to€sell€this€information€to€other€companies€even€after€promising€not€to€do€so.Ð 00+ ÐAmericans'€concern€about€the€privacy€of€their€health€information€is€part€of€a€broader€anxiety€about€their€lack€of€privacy€in€an€array€of€areas.€A€series€of€national€publicÐ Ø1Ø1, Ðopinion€polls€conducted€by€Louis€Harris€&€Associates€documents€a€rising€level€of€public€concern€about€privacy,€growing€from€64€percent€in€1978€to€82€percent€in€1995.Ð ÜÜ ÐOver€80€percent€of€persons€surveyed€in€1999€agreed€with€the€statement€that€they€had€"lost€all€control€over€their€personal€information."€See€Harris€Equifax,€òòHealthÐ ÖÖ ÐInformation€Privacy€Study€óó(1993)€(Ô4‚ s:€SÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ô€http://www.epic.org/privacy/medical/polls.htmlÔ6»‰ÔÝ‚›щafegÝÔÿÔóóÝ  ÝÔ7s:€Sÿ‰Ô€).€A€Wall€Street€Journal/ABC€poll€on€September€16,€1999€asked€Americans€whatÐ ÐÐ Ðconcerned€them€most€in€the€coming€century.€"Loss€of€personal€privacy"€was€the€first€or€second€concern€of€29€percent€of€respondents.€All€other€issues,€such€a€terrorism,Ð ÊÊ Ðworld€war,€and€global€warming€had€scores€of€23€percent€or€less.Ð ÄÄ ÐThis€growing€concern€stems€from€several€trends,€including€the€growing€use€of€interconnected€electronic€media€for€business€and€personal€activities,€our€increasing€ability€toÐ šš Ðknow€an€individual's€genetic€make-up,€and,€in€health€care,€the€increasing€complexity€of€the€system.€Each€of€these€trends€brings€the€potential€for€tremendous€benefits€toÐ ”” Ðindividuals€and€society€generally.€At€the€same€time,€each€also€brings€new€potential€for€invasions€of€our€privacy.Ð ŽŽ ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjŽÝÝ  ÝòòIncreasing€Use€of€Interconnected€Electronic€Information€Systemsóó݃ZjŽOŽÝÔ Ô7ŽÔŒÐ d d  ЌԀ$XþðXX$XþðÔó óÝ  ÝUntil€recently,€health€information€was€recorded€and€maintained€on€paper€and€stored€in€the€offices€of€community-based€physicians,€nurses,€hospitals,€and€other€health€careÐ : :  Ðprofessionals€and€institutions.€In€some€ways,€this€imperfect€system€of€record€keeping€created€a€false€sense€of€privacy€among€patients,€providers,€and€others.€Patients'Ð 4 4  Ðhealth€information€has€never€remained€completely€confidential.€Until€recently,€however,€a€breach€of€confidentiality€involved€a€physical€exchange€of€paper€records€or€aÐ ..  Ðverbal€exchange€of€information.€Today,€however,€more€and€more€health€care€providers,€plans,€and€others€are€utilizing€electronic€means€of€storing€and€transmitting€healthÐ ((  Ðinformation.€In€1996,€the€health€care€industry€invested€an€estimated€$10€billion€to€$15€billion€on€information€technology.€See€National€Research€Council,€ComputerÐ ""  ÐScience€and€Telecommunications€Board,€"For€the€Record:€Protecting€Electronic€Health€Information,"€(1997).€The€electronic€information€revolution€is€transforming€theÐ  Ðrecording€of€health€information€so€that€the€disclosure€of€information€may€require€only€a€push€of€a€button.€In€a€matter€of€seconds,€a€person's€most€profoundly€privateÐ  Ðinformation€can€be€shared€with€hundreds,€thousands,€even€millions€of€individuals€and€organizations€at€a€time.€While€the€majority€of€medical€records€still€are€in€paper€form,Ð  Ðinformation€from€those€records€is€often€copied€and€transmitted€through€electronic€means.Ð    ÐThis€ease€of€information€collection,€organization,€retention,€and€exchange€made€possible€by€the€advances€in€computer€and€other€electronic€technology€affords€manyÐ àà Ðbenefits€to€individuals€and€to€the€health€care€industry.€Use€of€electronic€information€has€helped€to€speed€the€delivery€of€effective€care€and€the€processing€of€billions€ofÐ ÚÚ Ðdollars€worth€of€health€care€claims.€Greater€use€of€electronic€data€has€also€increased€our€ability€to€identify€and€treat€those€who€are€at€risk€for€disease,€conduct€vitalÐ ÔÔ Ðresearch,€detect€fraud€and€abuse,€and€measure€and€improve€the€quality€of€care€delivered€in€the€U.S.€The€National€Research€Council€recently€reported€that€"the€InternetÐ ÎÎ Ðhas€great€potential€to€improve€Americans'€health€by€enhancing€communications€and€improving€access€to€information€for€care€providers,€patients,€health€plan€administrators,Ð ÈÈ Ðpublic€health€officials,€biomedical€researchers,€and€other€health€professionals."€See€"Networking€Health:€Prescriptions€for€the€Internet,"€National€Academy€of€SciencesР Ð(2000).Ð ¼¼ ÐAt€the€same€time,€these€advances€have€reduced€or€eliminated€many€of€the€financial€and€logistical€obstacles€that€previously€served€to€protect€the€confidentiality€of€healthÐ ’’ Ðinformation€and€the€privacy€interests€of€individuals.€And€they€have€made€our€information€available€to€many€more€people.€The€shift€from€paper€to€electronic€records,€withÐ ŒŒ Ðthe€accompanying€greater€flows€of€sensitive€health€information,€thus€strengthens€the€arguments€for€giving€legal€protection€to€the€right€to€privacy€in€health€information.€In€anÐ †† Ðearlier€period€where€it€was€far€more€expensive€to€access€and€use€medical€records,€the€risk€of€harm€to€individuals€was€relatively€low.€In€the€potential€near€future,€whenÐ € €  Ðtechnology€makes€it€almost€free€to€send€lifetime€medical€records€over€the€Internet,€the€risks€may€grow€rapidly.€It€may€become€cost-effective,€for€instance,€for€companiesÐ z!z! Ðto€offer€services€that€allow€purchasers€to€obtain€details€of€a€person's€physical€and€mental€treatments.€In€addition€to€legitimate€possible€uses€for€such€services,€malicious€orÐ t"t" Ðinquisitive€persons€may€download€medical€records€for€purposes€ranging€from€identity€theft€to€embarrassment€to€prurient€interest€in€the€life€of€a€celebrity€or€neighbor.€TheÐ n#n# Ðcomments€to€the€proposed€privacy€rule€indicate€that€many€persons€believe€that€they€have€a€right€to€live€in€society€without€having€these€details€of€their€lives€laid€open€toÐ h$h$  Ðunknown€and€possibly€hostile€eyes.€These€technological€changes,€in€short,€may€provide€a€reason€for€institutionalizing€privacy€protections€in€situations€where€the€risk€ofÐ b%b%! Ðharm€did€not€previously€justify€writing€such€protections€into€law.Ð \&\&" ÐThe€growing€level€of€trepidation€about€privacy€in€general,€noted€above,€has€tracked€the€rise€in€electronic€information€technology.€Americans€have€embraced€the€use€of€theÐ 2(2(# ÐInternet€and€other€forms€of€electronic€information€as€a€way€to€provide€greater€access€to€information,€save€time,€and€save€money.€For€example,€60€percent€of€AmericansÐ ,),)$ Ðsurveyed€in€1999€reported€that€they€have€a€computer€in€their€home;€82€percent€reported€that€they€have€used€a€computer;€64€percent€say€they€have€used€the€Internet;€andÐ &*&*% Ð58€percent€have€sent€an€e-mail.€Among€those€who€are€under€the€age€of€60,€these€percentages€are€even€higher.€See€"National€Survey€of€Adults€on€Technology,"€Henry€J.Ð  + +& ÐKaiser€Family€Foundation€(February,€2000).€But€59€percent€of€Americans€reported€that€they€worry€that€an€unauthorized€person€will€gain€access€to€their€information.€AÐ ,,' Ðrecent€survey€suggests€that€75€percent€of€consumers€seeking€health€information€on€the€Internet€are€concerned€or€very€concerned€about€the€health€sites€they€visit€sharingÐ --( Ðtheir€personal€health€information€with€a€third€party€without€their€permission.€Ethics€Survey€of€Consumer€Attitudes€about€Health€Web€Sites,€California€Health€CareÐ ..) ÐFoundation,€at€3€(January,€2000).Ð //* ÐUnless€public€fears€are€allayed,€we€will€be€unable€to€obtain€the€full€benefits€of€electronic€technologies.€The€absence€of€national€standards€for€the€confidentiality€of€healthÐ Þ0Þ0+ Ðinformation€has€made€the€health€care€industry€and€the€population€in€general€uncomfortable€about€this€primarily€financially-driven€expansion€in€the€use€of€electronic€data.Ð Ø1Ø1, ÐMany€plans,€providers,€and€clearinghouses€have€taken€steps€to€safeguard€the€privacy€of€individually€identifiable€health€information.€Yet€they€must€currently€rely€on€aÐ ÜÜ Ðpatchwork€of€State€laws€and€regulations€that€are€incomplete€and,€at€times,€inconsistent.€States€have,€to€varying€degrees,€attempted€to€enhance€confidentiality€byÐ ÖÖ Ðestablishing€laws€governing€at€least€some€aspects€of€medical€record€privacy.€This€approach,€though€a€step€in€the€right€direction,€is€inadequate.€These€laws€fail€to€provide€aÐ ÐÐ Ðconsistent€or€comprehensive€legal€foundation€of€health€information€privacy.€For€example,€there€is€considerable€variation€among€the€states€in€the€type€of€informationÐ ÊÊ Ðprotected€and€the€scope€of€the€protections€provided.€See€Georgetown€Study,€at€Executive€Summary;€Lawrence€O.€Gostin,€Zita€Lazzarrini,€Kathleen€M.€Flaherty,Ð ÄÄ ÐòòLegislative€Survey€of€State€Confidentiality€Laws,€with€Specific€Emphasis€on€HIV€and€Immunizationóó,€Report€to€Centers€for€Disease€Control,€Council€of€State€andÐ ¾¾ ÐTerritorial€Epidemiologists,€and€Task€Force€for€Child€Survival€and€Development,€Carter€Presidential€Center€(1996)€(Gostin€Study).Ð ¸¸ ÐMoreover,€electronic€health€data€is€becoming€increasingly€"national";€as€more€information€becomes€available€in€electronic€form,€it€can€have€value€far€beyond€the€immediateÐ ŽŽ Ðcommunity€where€the€patient€resides.€Neither€private€action€nor€state€laws€provide€a€sufficiently€comprehensive€and€rigorous€legal€structure€to€allay€public€concerns,Ð ˆ ˆ  Ðprotect€the€right€to€privacy,€and€correct€the€market€failures€caused€by€the€absence€of€privacy€protections€(see€discussion€below€of€market€failure€under€section€V.C).Ð ‚ ‚  ÐHence,€a€national€policy€with€consistent€rules€is€necessary€to€encourage€the€increased€and€proper€use€of€electronic€information€while€also€protecting€the€very€real€needs€ofÐ | |  Ðpatients€to€safeguard€their€privacy.Ð v v  ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zjë¯ÝÝ  ÝòòAdvances€in€Genetic€Sciencesóó݃Zjë¯5°ÝÔ Ô°ÔŒÐ LL  ЌԀ$XþðXX$XþðÔó óÝ  ÝRecently,€scientists€completed€nearly€a€decade€of€work€unlocking€the€mysteries€of€the€human€genome,€creating€tremendous€new€opportunities€to€identify€and€prevent€manyÐ ""  Ðof€the€leading€causes€of€death€and€disability€in€this€country€and€around€the€world.€Yet€the€absence€of€privacy€protections€for€health€information€endanger€these€efforts€byÐ  Ðcreating€a€barrier€of€distrust€and€suspicion€among€consumers.€A€1995€national€poll€found€that€more€than€85€percent€of€those€surveyed€were€either€"very€concerned"€orÐ  Ð"somewhat€concerned"€that€insurers€and€employers€might€gain€access€to€and€use€genetic€information.€See€Harris€Poll,€1995€#34.€Sixty-three€percent€of€the€1,000Ð  Ðparticipants€in€a€1997€national€survey€said€they€would€not€take€genetic€tests€if€insurers€and€employers€could€gain€access€to€the€results.€See€"Genetic€Information€and€theÐ    ÐWorkplace,"€Department€of€Labor,€Department€of€Health€and€Human€Services,€Equal€Employment€Opportunity€Commission,€January€20,€1998.€"In€genetic€testingÐ  Ðstudies€at€the€National€Institutes€of€Health,€thirty-two€percent€of€eligible€people€who€were€offered€a€test€for€breast€cancer€risk€declined€to€take€it,€citing€concerns€aboutÐ þþ Ðloss€of€privacy€and€the€potential€for€discrimination€in€health€insurance."€Sen.€Leahy's€comments€for€March€10,€1999€Introduction€of€the€Medical€Information€Privacy€andÐ øø ÐSecurity€Act.Ð òò ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjÖ¶ÝÝ  ÝòòThe€Changing€Health€Care€Systemóó݃ZjÖ¶ ·ÝÔ Ô·ÔŒÐ ÈÈ ÐŒÔ€$XþðXX$XþðÔó óÝ  ÝThe€number€of€entities€who€are€maintaining€and€transmitting€individually€identifiable€health€information€has€increased€significantly€over€the€last€10€years.€In€addition,€theÐ žž Ðrapid€growth€of€integrated€health€care€delivery€systems€requires€greater€use€of€integrated€health€information€systems.€The€health€care€industry€has€been€transformed€fromÐ ˜˜ Ðone€that€relied€primarily€on€one-on-one€interactions€between€patients€and€clinicians€to€a€system€of€integrated€health€care€delivery€networks€and€managed€care€providers.Ð ’’ ÐSuch€a€system€requires€the€processing€and€collection€of€information€about€patients€and€plan€enrollees€(for€example,€in€claims€files€or€enrollment€records),€resulting€in€theÐ ŒŒ Ðcreation€of€databases€that€can€be€easily€transmitted.€This€dramatic€change€in€the€practice€of€medicine€brings€with€it€important€prospects€for€the€improvement€of€the€qualityÐ †† Ðof€care€and€reducing€the€cost€of€that€care.€It€also,€however,€means€that€increasing€numbers€of€people€have€access€to€health€information.€And,€as€health€plan€functions€areÐ € €  Ðincreasingly€outsourced,€a€growing€number€of€organizations€not€affiliated€with€our€physicians€or€health€plans€also€have€access€to€health€information.Ð z!z! ÐAccording€to€the€American€Health€Information€Management€Association€(AHIMA),€an€average€of€150€people€"from€nursing€staff€to€x-ray€technicians,€to€billing€clerks"Ð P#P# Ðhave€access€to€a€patient's€medical€records€during€the€course€of€a€typical€hospitalization.€While€many€of€these€individuals€have€a€legitimate€need€to€see€all€or€part€of€aÐ J$J$ Ðpatient's€records,€no€laws€govern€who€those€people€are,€what€information€they€are€able€to€see,€and€what€they€are€and€are€not€allowed€to€do€with€that€information€onceÐ D%D%  Ðthey€have€access€to€it.€According€to€the€National€Research€Council,€individually€identifiable€health€information€frequently€is€shared€with:ðð€Consulting€physicians;Ð >&>&! Ððð€Managed€care€organizations;Ð ((" Ððð€Health€insurance€companiesÐ ê)ê)# Ððð€Life€insurance€companies;Ð À+À+$ Ððð€Self-insured€employers;Ð –-–-% Ððð€Pharmacies;Ð l/l/& Ðâ âðð€Pharmacy€benefit€managers;Ð B1B1' Ððð€Clinical€laboratories;Ð ÜÜ Ðâ âðð€Accrediting€organizations;Ð ²² Ððð€State€and€Federal€statistical€agencies;€andÐ ˆˆ Ððð€Medical€information€bureaus.Much€of€this€sharing€of€information€is€done€without€the€knowledge€of€the€patient€involved.€While€many€of€these€functions€are€important€forÐ ^^ Ðsmooth€functioning€of€the€health€care€system,€there€are€no€rules€governing€how€that€information€is€used€by€secondary€and€tertiary€users.€For€example,€a€pharmacy€benefitÐ XX Ðmanager€could€receive€information€to€determine€whether€an€insurance€plan€or€HMO€should€cover€a€prescription,€but€then€use€the€information€to€market€other€products€toÐ RR Ðthe€same€patient.€Similarly,€many€of€us€obtain€health€insurance€coverage€though€our€employer€and,€in€some€instances,€the€employer€itself€acts€as€the€insurer.€In€these€cases,Ð L L  Ðthe€employer€will€obtain€identifiable€health€information€about€its€employees€as€part€of€the€legitimate€health€insurance€functions€such€as€claims€processing,€qualityÐ F F  Ðimprovement,€and€fraud€detection€activities.€At€the€same€time,€there€is€no€comprehensive€protection€prohibiting€the€employer€from€using€that€information€to€make€decisionsÐ @ @  Ðabout€promotions€or€job€retention.Ð : :  ÐPublic€concerns€reflect€these€developments.€A€1993€Lou€Harris€poll€found€that€75€percent€of€those€surveyed€worry€that€medical€information€from€a€computerized€nationalÐ   Ðhealth€information€system€will€be€used€for€many€non-health€reasons,€and€38€percent€are€very€concerned.€This€poll,€taken€during€the€health€reform€efforts€of€1993,€showedÐ     Ðthat€85€percent€of€respondents€believed€that€protecting€the€confidentiality€of€medical€records€is€"absolutely€essential"€or€"very€essential"€in€health€care€reform.€An€ACLUÐ   ÐPoll€in€1994€also€found€that€75€percent€of€those€surveyed€are€concerned€a€"great€deal"€or€a€"fair€amount"'€about€insurance€companies€putting€medical€information€aboutÐ þþ  Ðthem€into€a€computer€information€bank€to€which€others€have€access.€Harris€Equifax,€Health€Information€Privacy€Study€2,33€(1993)Ð øø ÐÔ4‚e€grÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ôhttp://www.epic.org/privacy/medical/poll.htmlÔ6õÉÔÝ‚› ÊððÝÔÿÔóóÝ  ÝÔ7 Ð9ÊÔ€.€Another€survey€found€that€35€percent€of€Fortune€500€companies€look€at€people's€medical€records€before€making€hiringÐ òò Ðand€promotion€decisions.€Starr,€Paul.€"Health€and€the€Right€to€Privacy,"€American€Journal€of€Law€and€Medicine,€1999.€Vol€25,€pp.€193-201.Ð ìì ÐConcerns€about€the€lack€of€attention€to€information€privacy€in€the€health€care€industry€are€not€merely€theoretical.€In€the€absence€of€a€national€legal€framework€of€healthР Ðprivacy€protections,€consumers€are€increasingly€vulnerable€to€the€exposure€of€their€personal€health€information.€Disclosure€of€individually€identifiable€information€can€occurÐ ¼¼ Ðdeliberately€or€accidentally€and€can€occur€within€an€organization€or€be€the€result€of€an€external€breach€of€security.€Examples€of€recent€privacy€breaches€include:Ð ¶¶ Ððð€A€Michigan-based€health€system€accidentally€posted€the€medical€records€of€thousands€of€patients€on€the€Internet€(The€Ann€Arbor€News,€February€10,€1999).Ð ŒŒ Ððð€A€Utah-based€pharmaceutical€benefits€management€firm€used€patient€data€to€solicit€business€for€its€owner,€a€drug€store€(Kiplingers,€February€2000).Ð bb Ððð€An€employee€of€the€Tampa,€Florida,€health€department€took€a€computer€disk€containing€the€names€of€4,000€people€who€had€tested€positive€for€HIV,€the€virus€thatÐ 88 Ðcauses€AIDS€(USA€Today,€October€10,€1996).Ð 22 Ððð€The€health€insurance€claims€forms€of€thousands€of€patients€blew€out€of€a€truck€on€its€way€to€a€recycling€center€in€East€Hartford,€Connecticut€(The€Hartford€Courant,Ð    ÐMay€14,€1999).Ð !! Ððð€A€patient€in€a€Boston-area€hospital€discovered€that€her€medical€record€had€been€read€by€more€than€200€of€the€hospital's€employees€(The€Boston€Globe,€August€1,Ð Ø"Ø" Ð2000).Ð Ò#Ò# Ððð€A€Nevada€woman€who€purchased€a€used€computer€discovered€that€the€computer€still€contained€the€prescription€records€of€the€customers€of€the€pharmacy€that€hadÐ ¨%¨% Ðpreviously€owned€the€computer.€The€pharmacy€data€base€included€names,€addresses,€social€security€numbers,€and€a€list€of€all€the€medicines€the€customers€had€purchased.Ð ¢&¢& Ð(The€New€York€Times,€April€4,€1997€and€April€12,€1997).Ð œ'œ' Ððð€A€speculator€bid€$4000€for€the€patient€records€of€a€family€practice€in€South€Carolina.€Among€the€businessman's€uses€of€the€purchased€records€was€selling€them€back€toÐ r)r) Ðthe€former€patients.€(New€York€Times,€August€14,€1991).Ð l*l*  Ððð€In€1993,€the€Boston€Globe€reported€that€Johnson€and€Johnson€marketed€a€list€of€5€million€names€and€addresses€of€elderly€incontinent€women.€(ACLU€LegislativeÐ B,B,! ÐUpdate,€April€1998).Ð <-<-" Ððð€A€few€weeks€after€an€Orlando€woman€had€her€doctor€perform€some€routine€tests,€she€received€a€letter€from€a€drug€company€promoting€a€treatment€for€her€highÐ //# Ðcholesterol.€(Orlando€Sentinel,€November€30,€1997).Ð  0 0$ ÐNo€matter€how€or€why€a€disclosure€of€personal€information€is€made,€the€harm€to€the€individual€is€the€same.€In€the€face€of€industry€evolution,€the€potential€benefits€of€ourÐ â1â1% Ðchanging€health€care€system,€and€the€real€risks€and€occurrences€of€harm,€protection€of€privacy€must€be€built€into€the€routine€operations€of€our€health€care€system.Ð ÜÜ ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjNØÝÝ  ÝòòPrivacy€is€Necessary€to€Secure€Effective,€High€Quality€Health€Careóó݃ZjNؘØÝÔ Ô€ØԌР²² ЌԀ$XþðXX$XþðÔó óÝ  ÝWhile€privacy€is€one€of€the€key€values€on€which€our€society€is€built,€it€is€more€than€an€end€in€itself.€It€is€also€necessary€for€the€effective€delivery€of€health€care,€both€toÐ ˆˆ Ðindividuals€and€to€populations.€The€market€failures€caused€by€the€lack€of€effective€privacy€protections€for€health€information€are€discussed€below€(see€section€V.C€below).Ð ‚‚ ÐHere,€we€discuss€how€privacy€is€a€necessary€foundation€for€delivery€of€high€quality€health€care.€In€short,€the€entire€health€care€system€is€built€upon€the€willingness€ofÐ || Ðindividuals€to€share€the€most€intimate€details€of€their€lives€with€their€health€care€providers.Ð vv ÐThe€need€for€privacy€of€health€information,€in€particular,€has€long€been€recognized€as€critical€to€the€delivery€of€needed€medical€care.€More€than€anything€else,€theÐ L L  Ðrelationship€between€a€patient€and€a€clinician€is€based€on€trust.€The€clinician€must€trust€the€patient€to€give€full€and€truthful€information€about€their€health,€symptoms,€andÐ F F  Ðmedical€history.€The€patient€must€trust€the€clinician€to€use€that€information€to€improve€his€or€her€health€and€to€respect€the€need€to€keep€such€information€private.€In€order€toÐ @ @  Ðreceive€accurate€and€reliable€diagnosis€and€treatment,€patients€must€provide€health€care€professionals€with€accurate,€detailed€information€about€their€personal€health,Ð : :  Ðbehavior,€and€other€aspects€of€their€lives.€The€provision€of€health€information€assists€in€the€diagnosis€of€an€illness€or€condition,€in€the€development€of€a€treatment€plan,€andÐ 4 4  Ðin€the€evaluation€of€the€effectiveness€of€that€treatment.€In€the€absence€of€full€and€accurate€information,€there€is€a€serious€risk€that€the€treatment€plan€will€be€inappropriate€toÐ ..  Ðthe€patient's€situation.Ð ((  ÐPatients€also€benefit€from€the€disclosure€of€such€information€to€the€health€plans€that€pay€for€and€can€help€them€gain€access€to€needed€care.€Health€plans€and€health€careÐ þþ  Ðclearinghouses€rely€on€the€provision€of€such€information€to€accurately€and€promptly€process€claims€for€payment€and€for€other€administrative€functions€that€directly€affect€aÐ øø Ðpatient's€ability€to€receive€needed€care,€the€quality€of€that€care,€and€the€efficiency€with€which€it€is€delivered.Ð òò ÐAccurate€medical€records€assist€communities€in€identifying€troubling€public€health€trends€and€in€evaluating€the€effectiveness€of€various€public€health€efforts.€AccurateÐ ÈÈ Ðinformation€helps€public€and€private€payers€make€correct€payments€for€care€received€and€lower€costs€by€identifying€fraud.€Accurate€information€provides€scientists€withР Ðdata€they€need€to€conduct€research.€We€cannot€improve€the€quality€of€health€care€without€information€about€which€treatments€work,€and€which€do€not.Ð ¼¼ ÐIndividuals€cannot€be€expected€to€share€the€most€intimate€details€of€their€lives€unless€they€have€confidence€that€such€information€will€not€be€used€or€shared€inappropriately.Ð ’’ ÐPrivacy€violations€reduce€consumers'€trust€in€the€health€care€system€and€institutions€that€serve€them.€Such€a€loss€of€faith€can€impede€the€quality€of€the€health€care€theyÐ ŒŒ Ðreceive,€and€can€harm€the€financial€health€of€health€care€institutions.Ð †† ÐPatients€who€are€worried€about€the€possible€misuse€of€their€information€often€take€steps€to€protect€their€privacy.€Recent€studies€show€that€a€person€who€does€not€believeÐ \\ Ðhis€privacy€will€be€protected€is€much€less€likely€to€participate€fully€in€the€diagnosis€and€treatment€of€his€medical€condition.€A€national€survey€conducted€in€January€1999Ð VV Ðfound€that€one€in€five€Americans€believe€their€health€information€is€being€used€inappropriately.€See€California€HealthCare€Foundation,€"National€Survey:€Confidentiality€ofÐ PP ÐMedical€Records"(January,€1999)€(Ô4‚ ÐÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ô€http://www.chcf.orgÔ6=éÔÝ‚›Sé€heaÝÔÿÔóóÝ  ÝÔ7€theéÔ€).€More€troubling€is€the€fact€that€one€in€six€Americans€reported€that€they€have€taken€some€sort€of€evasive€actionÐ JJ Ðto€avoid€the€inappropriate€use€of€their€information€by€providing€inaccurate€information€to€a€health€care€provider,€changing€physicians,€or€avoiding€care€altogether.€Similarly,Ð D D  Ðin€its€comments€on€our€proposed€rule,€the€Association€of€American€Physicians€and€Surgeons€reported€78€percent€of€its€members€reported€withholding€information€from€aÐ >!>! Ðpatient's€record€due€to€privacy€concerns€and€another€87€percent€reported€having€had€a€patient€request€to€withhold€information€from€their€records.€For€an€example€of€thisÐ 8"8" Ðphenomenon€in€a€particular€demographic€group,€see€Drs.€Bearman,€Ford,€and€Moody,€"Foregone€Health€Care€among€Adolescents,"òòJAMAóó,€vol.€282,€no.€23€(999);Ð 2#2# ÐCheng,€T.L.,€et€al.,€"Confidentiality€in€Health€Care:€A€Survey€of€Knowledge,€Perceptions,€and€Attitudes€among€High€School€Students,"€òòJAMAóó,€vol.€269,€no.€11€(1993),Ð ,$,$ Ðat€1404-1407.Ð &%&% ÐThe€absence€of€strong€national€standards€for€medical€privacy€has€widespread€consequences.€Health€care€professionals€who€lose€the€trust€of€their€patients€cannot€deliverÐ ü&ü&  Ðhigh-quality€care.€In€1999,€a€coalition€of€organizations€representing€various€stakeholders€including€health€plans,€physicians,€nurses,€employers,€disability€and€mental€healthÐ ö'ö'! Ðadvocates,€accreditation€organizations€as€well€as€experts€in€public€health,€medical€ethics,€information€systems,€and€health€policy€adopted€a€set€of€"best€principles"€for€healthÐ ð(ð(" Ðcare€privacy€that€are€consistent€with€the€standards€we€lay€out€here.€(See€the€Health€Privacy€Working€Group,€"Best€Principles€for€Health€Privacy"€(July,€1999)€(BestÐ ê)ê)# ÐPrinciples€Study).€The€Best€Principles€Study€states€that€-To€protect€their€privacy€and€avoid€embarrassment,€stigma,€and€discrimination,€some€people€withhold€informationÐ ä*ä*$ Ðfrom€their€health€care€providers,€provide€inaccurate€information,€doctor-hop€to€avoid€a€consolidated€medical€record,€pay€out-of-pocket€for€care€that€is€covered€byÐ Þ+Þ+% Ðinsurance,€and€-€in€some€cases€-€avoid€care€altogether.Best€Principles€Study,€at€9.€In€their€comments€on€our€proposed€rule,€numerous€organizations€representing€healthÐ Ø,Ø,& Ðplans,€health€providers,€employers,€and€others€acknowledged€the€value€of€a€set€of€national€privacy€standards€to€the€efficient€operation€of€their€practices€and€businesses.Ð Ò-Ò-' ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zj3ôÝÝ  ÝòòBreaches€of€Health€Privacy€Harm€More€than€Our€Health€Statusóó݃Zj3ô}ôÝÔ ÔeôԌР¨/¨/( ЌԀ$XþðXX$XþðÔó óÝ  ÝA€breach€of€a€person's€health€privacy€can€have€significant€implications€well€beyond€the€physical€health€of€that€person,€including€the€loss€of€a€job,€alienation€of€family€andÐ ~1~1) Ðfriends,€the€loss€of€health€insurance,€and€public€humiliation.€For€example:Ð x2x2* Ððð€A€banker€who€also€sat€on€a€county€health€board€gained€access€to€patients'€records€and€identified€several€people€with€cancer€and€called€in€their€mortgages.€See€theÐ ÜÜ ÐNational€Law€Journal,€May€30,€1994.Ð ÖÖ Ððð€A€physician€was€diagnosed€with€AIDS€at€the€hospital€in€which€he€practiced€medicine.€His€surgical€privileges€were€suspended.€See€òòEstate€of€Behringer€v.€MedicalÐ ¬¬ ÐCenter€at€Princeton,€óó249€N.J.€Super.€597.Ð ¦¦ Ððð€A€candidate€for€Congress€nearly€saw€her€campaign€derailed€when€newspapers€published€the€fact€that€she€had€sought€psychiatric€treatment€after€a€suicide€attempt.€SeeÐ || ÐòòNew€York€Timesóó,€October€10,€1992,€Section€1,€page€25.Ð vv Ððð€A€30-year€FBI€veteran€was€put€on€administrative€leave€when,€without€his€permission,€his€pharmacy€released€information€about€his€treatment€for€depression.€(LosÐ L L  ÐAngeles€Times,€September€1,€1998)Ð F F  Ððð€Consumer€Reports€found€that€40€percent€of€insurers€disclose€personal€health€information€to€lenders,€employers,€or€marketers€without€customer€permission.€"Who'sÐ    Ðreading€your€Medical€Records,"€Consumer€Reports,€October€1994,€at€628,€paraphrasing€Sweeny,€Latanya,€"Weaving€Technology€and€Policy€Together€to€MaintainÐ    ÐConfidentiality,"€The€Journal€Of€Law€Medicine€and€Ethics€(Summer€&€Fall€1997)€Vol.€25,€Numbers€2,3.Ð   ÐThe€answer€to€these€concerns€is€not€for€consumers€to€withdraw€from€society€and€the€health€care€system,€but€for€society€to€establish€a€clear€national€legal€framework€forÐ ææ  Ðprivacy.€By€spelling€out€what€is€and€what€is€not€an€allowable€use€of€a€person's€identifiable€health€information,€such€standards€can€help€to€restore€and€preserve€trust€in€theÐ àà  Ðhealth€care€system€and€the€individuals€and€institutions€that€comprise€that€system.€As€medical€historian€Paul€Starr€wrote:€"Patients€have€a€strong€interest€in€preserving€theÐ ÚÚ  Ðprivacy€of€their€personal€health€information€but€they€also€have€an€interest€in€medical€research€and€other€efforts€by€health€care€organizations€to€improve€the€medical€careÐ ÔÔ Ðthey€receive.€As€members€of€the€wider€community,€they€have€an€interest€in€public€health€measures€that€require€the€collection€of€personal€data."€(P.€Starr,€"Health€and€theÐ ÎÎ ÐRight€to€Privacy,"€American€Journal€of€Law€&€Medicine,€25,€nos.€2&3€(1999)€193-201).€The€task€of€society€and€its€government€is€to€create€a€balance€in€which€theÐ ÈÈ Ðindividual's€needs€and€rights€are€balanced€against€the€needs€and€rights€of€society€as€a€whole.Р ÐNational€standards€for€medical€privacy€must€recognize€the€sometimes€competing€goals€of€improving€individual€and€public€health,€advancing€scientific€knowledge,€enforcingÐ ˜˜ Ðthe€laws€of€the€land,€and€processing€and€paying€claims€for€health€care€services.€This€need€for€balance€has€been€recognized€by€many€of€the€experts€in€this€field.€CavoukianÐ ’’ Ðand€Tapscott€described€it€this€way:€"An€individual's€right€to€privacy€may€conflict€with€the€collective€rights€of€the€public.€.€.We€do€not€suggest€that€privacy€is€an€absoluteÐ ŒŒ Ðright€that€reigns€supreme€over€all€other€rights.€It€does€not.€However,€the€case€for€privacy€will€depend€on€a€number€of€factors€that€can€influence€the€balance€-€the€level€ofÐ †† Ðharm€to€the€individual€involved€versus€the€needs€of€the€public."Ð €€ ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjnÝÝ  ÝòòThe€Federal€Responseóó݃Zjn¸ÝÔ Ô ÔŒÐ VV ЌԀ$XþðXX$XþðÔó óÝ  ÝThere€have€been€numerous€federal€initiatives€aimed€at€protecting€the€privacy€of€especially€sensitive€personal€information€over€the€past€several€years€--€and€severalÐ ,, Ðdecades.€While€the€rules€below€are€likely€the€largest€single€federal€initiative€to€protect€privacy,€they€are€by€no€means€alone€in€the€field.€Rather,€the€rules€arrive€in€theÐ & &  Ðcontext€of€recent€legislative€activity€to€grapple€with€advances€in€technology,€in€addition€to€an€already€established€body€of€law€granting€federal€protections€for€personalÐ  ! ! Ðprivacy.Ð "" ÐIn€1965,€the€House€of€Representatives€created€a€Special€Subcommittee€on€Invasion€of€Privacy.€In€1973,€this€Department's€predecessor€agency,€the€Department€ofÐ ð#ð# ÐHealth,€Education€and€Welfare€issued€òòThe€Code€of€Fair€Information€Practice€Principles€óóestablishing€an€important€baseline€for€information€privacy€in€the€U.S.€TheseÐ ê$ê$ Ðprinciples€formed€the€basis€for€the€federal€Privacy€Act€of€1974,€which€regulates€the€government's€use€of€personal€information€by€limiting€the€disclosure€ofÐ ä%ä% Ðpersonally-identifiable€information,€allows€consumers€access€to€information€about€them,€requires€federal€agencies€to€specify€the€purposes€for€collecting€personalÐ Þ&Þ& Ðinformation,€and€provides€civil€and€criminal€penalties€for€misuse€of€information.Ð Ø'Ø'  ÐIn€the€last€several€years,€with€the€rapid€expansion€in€electronic€technology€--€and€accompanying€concerns€about€individual€privacy€--€laws,€regulations,€and€legislativeÐ ®)®)! Ðproposals€have€been€developed€in€areas€ranging€from€financial€privacy€to€genetic€privacy€to€the€safeguarding€of€children€on-line.€For€example,€the€Children's€OnlineÐ ¨*¨*" ÐPrivacy€Protection€Act€was€enacted€in€1998,€providing€protection€for€children€when€interacting€at€web-sites.€In€February,€2000,€President€Clinton€signed€Executive€OrderÐ ¢+¢+# Ð13145,€banning€the€use€of€genetic€information€in€federal€hiring€and€promotion€decisions.€The€landmark€financial€modernization€bill,€signed€by€the€President€in€November,Ð œ,œ,$ Ð1999,€likewise€contained€financial€privacy€protections€for€consumers.€There€also€has€been€recent€legislative€activity€on€establishing€legal€safeguards€for€the€privacy€ofÐ –-–-% Ðindividuals'€Social€Security€numbers,€and€calls€for€regulation€of€on-line€privacy€in€general.Ð ..& ÐThese€most€recent€laws,€regulations,€and€legislative€proposals€come€against€the€backdrop€of€decades€of€privacy-enhancing€statutes€passed€at€the€federal€level€to€enactÐ f0f0' Ðsafeguards€in€fields€ranging€from€government€data€files€to€video€rental€records.€In€the€1970s,€individual€privacy€was€paramount€in€the€passage€of€the€Fair€Credit€ReportingÐ `1`1( ÐAct€(1970),€the€Privacy€Act€(1974),€the€Family€Educational€Rights€and€Privacy€Act€(1974),€and€the€Right€to€Financial€Privacy€Act€(1978).€These€key€laws€were€followedÐ Z2Z2) Ðin€the€next€decade€by€another€series€of€statutes,€including€the€Privacy€Protection€Act€(1980),€the€Electronic€Communications€Privacy€Act€(1986),€the€Video€PrivacyÐ ÜÜ ÐProtection€Act€(1988),€and€the€Employee€Polygraph€Protection€Act€(1988).€In€the€last€ten€years,€Congress€and€the€President€have€passed€additional€legal€privacyÐ ÖÖ Ðprotection€through,€among€others,€the€Telephone€Consumer€Protection€Act€(1991),€the€Driver's€Privacy€Protection€Act€(1994),€the€Telecommunications€Act€(1996),€theÐ ÐÐ ÐChildren's€Online€Privacy€Protection€Act€(1998),€the€Identity€Theft€and€Assumption€Deterrence€Act€(1998),€and€Title€V€of€the€Gramm-Leach-Bliley€Act€(1999)Ð ÊÊ Ðgoverning€financial€privacy.Ð ÄÄ ÐIn€1997,€a€Presidential€advisory€commission,€the€Advisory€Commission€on€Consumer€Protection€and€Quality€in€the€Health€Care€Industry,€recognized€the€need€for€patientÐ šš Ðprivacy€protection€in€its€recommendations€for€a€Consumer€Bill€of€Rights€and€Responsibilities€(November€1997).€In€1997,€Congress€enacted€the€Balanced€Budget€ActÐ ”” Ð(Public€Law€105-34),€which€added€language€to€the€Social€Security€Act€(18€U.S.C.€1852)€to€require€Medicare+Choice€organizations€to€establish€safeguards€for€theÐ ŽŽ Ðprivacy€of€individually€identifiable€patient€information.€Similarly,€the€Veterans€Benefits€section€of€the€U.S.€Code€provides€for€confidentiality€of€medical€records€in€casesÐ ˆ ˆ  Ðinvolving€drug€abuse,€alcoholism€or€alcohol€abuse,€HIV€infection,€or€sickle€cell€anemia€(38€U.S.C.€7332).Ð ‚ ‚  ÐAs€described€in€more€detail€in€the€next€section,€Congress€recognized€the€importance€of€protecting€the€privacy€of€health€information€by€enacting€the€Health€InsuranceÐ X X  ÐPortability€and€Accountability€Act€of€1996.€The€Act€called€on€Congress€to€enact€a€medical€privacy€statute€and€asked€the€Secretary€of€Health€and€Human€Services€toÐ R R  Ðprovide€Congress€with€recommendations€for€protecting€the€confidentiality€of€health€care€information.€The€Congress€further€recognized€the€importance€of€such€standards€byÐ LL  Ðproviding€the€Secretary€with€authority€to€promulgate€regulations€on€health€care€privacy€in€the€event€that€lawmakers€were€unable€to€act€within€the€allotted€three€years.Ð FF  ÐFinally,€it€also€is€important€for€the€U.S.€to€join€the€rest€of€the€developed€world€in€establishing€basic€medical€privacy€protections.€In€1995,€the€European€Union€(EU)Ð  Ðadopted€a€Data€Privacy€Directive€requiring€its€15€member€states€to€adopt€consistent€privacy€laws€by€October€1998.€The€EU€urged€all€other€nations€to€do€the€same€orÐ  Ðface€the€potential€loss€of€access€to€information€from€EU€countries.Ð  ÐÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔWÝÝ  ÝStatutory€Background݃CÔW¡ÝÔ Ô‰ÔŒÐ ææ ЌԀ$XþðX»$¼4ÝÔó óÝ  ÝÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjAÝÝ  ÝòòHistory€of€the€Privacy€Component€of€the€Administrative€Simplification€Provisionsóó݃ZjA‹ÝÔ ÔsԌРââ ЌԀ$XþðXX$XþðÔó óÝ  ÝThe€Congress€addressed€the€opportunities€and€challenges€presented€by€the€rapid€evolution€of€health€information€systems€in€the€Health€Insurance€Portability€andÐ ¸¸ ÐAccountability€Act€of€1996€(HIPAA),€Public€Law€104-191,€which€was€enacted€on€August€21,€1996.€Sections€261€through€264€of€HIPAA€are€known€as€theÐ ²² ÐAdministrative€Simplification€provisions.€The€major€part€of€these€Administrative€Simplification€provisions€are€found€at€section€262€of€HIPAA,€which€enacted€a€new€part€CÐ ¬¬ Ðof€title€XI€of€the€Social€Security€Act€(hereinafter€we€refer€to€the€Social€Security€Act€as€the€"Act"€and€we€refer€to€all€other€laws€cited€in€this€document€by€their€names).Ð ¦¦ ÐIn€section€262,€Congress€primarily€sought€to€facilitate€the€efficiencies€and€cost€savings€for€the€health€care€industry€that€the€increasing€use€of€electronic€technology€affords.Ð || ÐThus,€section€262€directs€HHS€to€issue€standards€to€facilitate€the€electronic€exchange€of€information€with€respect€to€financial€and€administrative€transactions€carried€out€byÐ vv Ðhealth€plans,€health€care€clearinghouses,€and€health€care€providers€who€transmit€information€electronically€in€connection€with€such€transactions.Ð pp ÐAt€the€same€time,€Congress€recognized€the€challenges€to€the€confidentiality€of€health€information€presented€by€the€increasing€complexity€of€the€health€care€industry,€and€byÐ F!F! Ðadvances€in€health€information€systems€technology€and€communications.€Section€262€thus€also€directs€HHS€to€develop€standards€to€protect€the€security,€including€theÐ @"@" Ðconfidentiality€and€integrity,€of€health€information.Ð :#:# ÐCongress€has€long€recognized€the€need€for€protection€of€health€information€privacy€generally,€as€well€as€the€privacy€implications€of€electronic€data€interchange€and€theÐ %% Ðincreased€ease€of€transmitting€and€sharing€individually€identifiable€health€information.€Congress€has€been€working€on€broad€health€privacy€legislation€for€many€years€and,€asÐ  & & Ðevidenced€by€the€self-imposed€three€year€deadline€included€in€the€HIPAA,€discussed€below,€believes€it€can€and€should€enact€such€legislation.€A€significant€portion€of€theÐ '' Ðfirst€Administrative€Simplification€section€debated€on€the€floor€of€the€Senate€in€1994€(as€part€of€the€Health€Security€Act)€consisted€of€privacy€provisions.€In€the€version€ofÐ þ'þ'  Ðthe€HIPAA€passed€by€the€House€of€Representatives€in€1996,€the€requirement€for€the€issuance€of€privacy€standards€was€located€in€the€same€section€of€the€bill€(sectionÐ ø(ø(! Ð1173)€as€the€requirements€for€issuance€of€the€other€HIPAA€Administrative€Simplification€standards.€In€conference,€the€requirement€for€privacy€standards€was€moved€to€aÐ ò)ò)" Ðseparate€section€in€the€same€part€of€HIPAA,€section€264,€so€that€Congress€could€link€the€Privacy€standards€to€Congressional€action.Ð ì*ì*# ÐSection€264(b)€requires€the€Secretary€of€HHS€to€develop€and€submit€to€the€Congress€recommendations€for:Ð Â,Â,$ Ððð€The€rights€that€an€individual€who€is€a€subject€of€individually€identifiable€health€information€should€have.Ð ˜.˜.% Ððð€The€procedures€that€should€be€established€for€the€exercise€of€such€rights.Ð n0n0& Ððð€The€uses€and€disclosures€of€such€information€that€should€be€authorized€or€required.Ð D2D2' ÐThe€Secretary's€Recommendations€were€submitted€to€the€Congress€on€September€11,€1997.€Section€264(c)(1)€provides€that:If€legislation€governing€standards€withÐ ÜÜ Ðrespect€to€the€privacy€of€individually€identifiable€health€information€transmitted€in€connection€with€the€transactions€described€in€section€1173(a)€of€the€Social€Security€ActÐ ÖÖ Ð(as€added€by€section€262)€is€not€enacted€by€[August€21,€1999],€the€Secretary€of€Health€and€Human€Services€shall€promulgate€final€regulations€containing€such€standardsÐ ÐÐ Ðnot€later€than€[February€21,€2000].€Such€regulations€shall€address€at€least€the€subjects€described€in€subsection€(b).As€the€Congress€did€not€enact€legislation€regarding€theÐ ÊÊ Ðprivacy€of€individually€identifiable€health€information€prior€to€August€21,€1999,€HHS€published€proposed€rules€setting€forth€such€standards€on€November€3,€1999,€64€FRÐ ÄÄ Ð59918,€and€is€now€publishing€the€mandated€final€regulation.Ð ¾¾ ÐThese€privacy€standards€have€been,€and€continue€to€be,€an€integral€part€of€the€suite€of€Administrative€Simplification€standards€intended€to€simplify€and€improve€theÐ ”” Ðefficiency€of€the€administration€of€our€health€care€system.Ð ŽŽ ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zj1ÝÝ  ÝòòThe€Administrative€Simplification€Provisions,€and€Regulatory€Actions€To€Dateóó݃Zj1`1ÝÔ ÔH1ԌРd d  ЌԀ$XþðXX$XþðÔó óÝ  ÝPart€C€of€title€XI€consists€of€sections€1171€through€1179€of€the€Act.€These€sections€define€various€terms€and€impose€several€requirements€on€HHS,€health€plans,€healthÐ : :  Ðcare€clearinghouses,€and€health€care€providers€who€conduct€the€identified€transactions€electronically.Ð 4 4  ÐThe€first€section,€section€1171€of€the€Act,€establishes€definitions€for€purposes€of€part€C€of€title€XI€for€the€following€terms:€code€set,€health€care€clearinghouse,€health€careÐ     Ðprovider,€health€information,€health€plan,€individually€identifiable€health€information,€standard,€and€standard€setting€organization.Ð   ÐSection€1172€of€the€Act€makes€the€standard€adopted€under€part€C€applicable€to:€(1)€health€plans,€(2)€health€care€clearinghouses,€and€(3)€health€care€providers€whoÐ ÚÚ  Ðtransmit€health€information€in€electronic€form€in€connection€with€transactions€referred€to€in€section€1173(a)(1)€of€the€Act€(hereinafter€referred€to€as€the€"covered€entities").Ð ÔÔ ÐSection€1172€also€contains€procedural€requirements€concerning€the€adoption€of€standards,€including€the€role€of€standard€setting€organizations€and€required€consultations,Ð ÎÎ Ðsummarized€in€subsection€F€and€section€VI,€below.Ð ÈÈ ÐSection€1173€of€the€Act€requires€the€Secretary€to€adopt€standards€for€transactions,€and€data€elements€for€such€transactions,€to€enable€health€information€to€be€exchangedÐ žž Ðelectronically.€Section€1173(a)(1)€describes€the€transactions€to€be€promulgated,€which€include€the€nine€transactions€listed€in€section€1173(a)(2)€and€other€transactionsÐ ˜˜ Ðdetermined€appropriate€by€the€Secretary.€The€remainder€of€section€1173€sets€out€requirements€for€the€specific€standards€the€Secretary€is€to€adopt:€unique€healthÐ ’’ Ðidentifiers,€code€sets,€security€standards,€electronic€signatures,€and€transfer€of€information€among€health€plans.€Of€particular€relevance€to€this€proposed€rule€is€sectionÐ ŒŒ Ð1173(d),€the€security€standard€provision.€The€security€standard€authority€applies€to€both€the€transmission€and€the€maintenance€of€health€information,€and€requires€theÐ †† Ðentities€described€in€section€1172(a)€to€maintain€reasonable€and€appropriate€safeguards€to€ensure€the€integrity€and€confidentiality€of€the€information,€protect€againstÐ €€ Ðreasonably€anticipated€threats€or€hazards€to€the€security€or€integrity€of€the€information€or€unauthorized€uses€or€disclosures€of€the€information,€and€to€ensure€complianceÐ zz Ðwith€part€C€by€the€entity's€officers€and€employees.Ð tt ÐIn€section€1174€of€the€Act,€the€Secretary€is€required€to€establish€standards€for€all€of€the€above€transactions,€except€claims€attachments,€by€February€21,€1998.€TheÐ JJ Ðstatutory€deadline€for€the€claims€attachment€standard€is€February€21,€1999.Ð D D  ÐAs€noted€above,€a€proposed€rule€for€most€of€the€transactions€was€published€on€May€7,€1998,€and€the€final€Transactions€Rule€was€promulgated€on€August€17,€2000.€TheÐ "" Ðdelay€was€caused€by€the€deliberate€consensus€building€process,€working€with€industry,€and€the€large€number€of€comments€received€(about€17,000).€In€addition,€in€a€seriesÐ ## Ðof€Notices€of€Proposed€Rulemakings,€HHS€published€other€proposed€standards,€as€described€above.€Each€of€these€steps€was€taken€in€concert€with€the€affectedÐ $$ Ðprofessions€and€industries,€to€ensure€rapid€adoption€and€compliance.Ð %% ÐGenerally,€after€a€standard€is€established,€it€may€not€be€changed€during€the€first€year€after€adoption€except€for€changes€that€are€necessary€to€permit€compliance€with€theÐ Þ&Þ& Ðstandard.€Modifications€to€any€of€these€standards€may€be€made€after€the€first€year,€but€not€more€frequently€than€once€every€12€months.€The€Secretary€also€must€ensureÐ Ø'Ø'  Ðthat€procedures€exist€for€the€routine€maintenance,€testing,€enhancement,€and€expansion€of€code€sets€and€that€there€are€crosswalks€from€prior€versions.Ð Ò(Ò(! ÐSection€1175€of€the€Act€prohibits€health€plans€from€refusing€to€process,€or€from€delaying€processing€of,€a€transaction€that€is€presented€in€standard€format.€It€alsoÐ ¨*¨*" Ðestablishes€a€timetable€for€compliance:€each€person€to€whom€a€standard€or€implementation€specification€applies€is€required€to€comply€with€the€standard€within€24€monthsÐ ¢+¢+# Ð(or€36€months€for€small€health€plans)€of€its€adoption.€A€health€plan€or€other€entity€may,€of€course,€comply€voluntarily€before€the€effective€date.€The€section€also€providesÐ œ,œ,$ Ðthat€compliance€with€modifications€to€standards€or€implementation€specifications€must€be€accomplished€by€a€date€designated€by€the€Secretary,€which€date€may€not€beÐ –-–-% Ðearlier€than€180€days€from€the€notice€of€change.Ð ..& ÐSection€1176€of€the€Act€establishes€civil€monetary€penalties€for€violation€of€the€provisions€in€part€C€of€title€XI€of€the€Act,€subject€to€several€limitations.€Penalties€may€notÐ f0f0' Ðbe€more€than€$100€per€person€per€violation€and€not€more€than€$25,000€per€person€for€violations€of€a€single€standard€for€a€calendar€year.€The€procedural€provisions€ofÐ `1`1( Ðsection€1128A€of€the€Act€apply€to€actions€taken€to€obtain€civil€monetary€penalties€under€this€section.Ð Z2Z2) ÐSection€1177€establishes€penalties€for€any€person€that€knowingly€uses€a€unique€health€identifier,€or€obtains€or€discloses€individually€identifiable€health€information€inÐ ÜÜ Ðviolation€of€the€part.€The€penalties€include:€(1)€a€fine€of€not€more€than€$50,000€and/or€imprisonment€of€not€more€than€1€year;€(2)€if€the€offense€is€"under€false€pretenses,"€aÐ ÖÖ Ðfine€of€not€more€than€$100,000€and/or€imprisonment€of€not€more€than€5€years;€and€(3)€if€the€offense€is€with€intent€to€sell,€transfer,€or€use€individually€identifiable€healthÐ ÐÐ Ðinformation€for€commercial€advantage,€personal€gain,€or€malicious€harm,€a€fine€of€not€more€than€$250,000€and/or€imprisonment€of€not€more€than€10€years.Ð ÊÊ ÐUnder€section€1178€of€the€Act,€the€requirements€of€part€C,€as€well€as€any€standards€or€implementation€specifications€adopted€thereunder,€preempt€contrary€state€law.Ð    ÐThere€are€three€exceptions€to€this€general€rule€of€preemption:€state€laws€that€the€Secretary€determines€are€necessary€for€certain€purposes€set€forth€in€the€statute;€state€lawsÐ šš Ðthat€the€Secretary€determines€address€controlled€substances;€and€state€laws€relating€to€the€privacy€of€individually€identifiable€health€information€that€are€contrary€to€andÐ ”” Ðmore€stringent€than€the€federal€requirements.€There€also€are€certain€areas€of€state€law€(generally€relating€to€public€health€and€oversight€of€health€plans)€that€are€explicitlyÐ ŽŽ Ðcarved€out€of€the€general€rule€of€preemption€and€addressed€separately.Ð ˆ ˆ  ÐSection€1179€of€the€Act€makes€the€above€provisions€inapplicable€to€financial€institutions€(as€defined€by€section€1101€of€the€Right€to€Financial€Privacy€Act€of€1978)€orÐ ^ ^  Ðanyone€acting€on€behalf€of€a€financial€institution€when€"authorizing,€processing,€clearing,€settling,€billing,€transferring,€reconciling,€or€collecting€payments€for€a€financialÐ X X  Ðinstitution."Ð R R  ÐFinally,€as€explained€above,€section€264€requires€the€Secretary€to€issue€standards€with€respect€to€the€privacy€of€individually€identifiable€health€information.€Section€264Ð ((  Ðalso€contains€a€preemption€provision€that€provides€that€contrary€provisions€of€state€laws€that€are€more€stringent€than€the€federal€standards,€requirements,€or€implementationÐ ""  Ðspecifications€will€not€be€preempted.Ð  ÐÝ‚CÔFÝÔ€$¼4Ý»X$XþðÔò òÔ  ÔÝ  ÝÝ‚CÔRQÝÝ  ÝOur€Approach€to€This€Regulation݃CÔRQœQÝÔ Ô„QԌРòò ЌԀ$XþðX»$¼4ÝÔó óÝ  ÝÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjGRÝÝ  ÝòòBalanceóó݃ZjGR‘RÝÔ ÔyRԌРîî ЌԀ$XþðXX$XþðÔó óÝ  ÝA€number€of€facts€informed€our€approach€to€this€regulation.€Determining€the€best€approach€to€protecting€privacy€depends€on€where€we€start,€both€with€respect€to€existingÐ ÄÄ Ðlegal€expectations€and€also€with€respect€to€the€expectations€of€individuals,€health€care€providers,€payers€and€other€stakeholders.€From€the€comments€we€received€on€theÐ ¾¾ Ðproposed€rule,€and€from€the€extensive€fact€finding€in€which€we€engaged,€a€confused€picture€developed.€We€learned€that€stakeholders€in€the€system€have€very€differentÐ ¸¸ Ðideas€about€the€extent€and€nature€of€the€privacy€protections€that€exist€today,€and€very€different€ideas€about€appropriate€uses€of€health€information.€This€leads€us€to€seek€toÐ ²² Ðbalance€the€views€of€the€different€stakeholders,€weighing€the€varying€interests€on€each€particular€issue€with€a€view€to€creating€balance€in€the€regulation€as€a€whole.Ð ¬¬ ÐFor€example,€we€received€hundreds€of€comments€explaining€the€legitimacy€of€various€uses€and€disclosure€of€health€information.€We€agree€that€many€uses€and€disclosuresÐ ‚‚ Ðof€health€information€are€"legitimate,"€but€that€is€not€the€end€of€the€inquiry.€Neither€privacy,€nor€the€important€social€goals€described€by€the€commenters,€are€absolutes.€InÐ || Ðthis€regulation,€we€are€asking€health€providers€and€institutions€to€add€privacy€into€the€balance,€and€we€are€asking€individuals€to€add€social€goals€into€the€balance.Ð vv ÐThe€vast€difference€among€regulated€entities€also€informed€our€approach€in€significant€ways.€This€regulation€applies€to€solo€practitioners,€and€multi-national€health€plans.€ItÐ L L  Ðapplies€to€pharmacies€and€information€clearinghouses.€These€entities€differ€not€only€in€the€nature€and€scope€of€their€businesses,€but€also€in€the€degree€of€sophistication€ofÐ F!F! Ðtheir€information€systems€and€information€needs.€We€therefore€designed€the€core€requirements€of€this€regulation€to€be€flexible€and€"scalable."€This€is€reflected€throughoutÐ @"@" Ðthe€rule,€particularly€in€the€implementation€specifications€for€making€the€'minimum€necessary'€uses€and€disclosures,€and€in€the€administrative€policies€and€proceduresÐ :#:# Ðrequirements.Ð 4$4$ ÐWe€also€are€informed€by€the€rapid€evolution€in€industry€organization€and€practice.€Our€goal€is€to€enhance€privacy€protections€in€ways€that€do€not€impede€this€evolution.Ð  & & ÐFor€example,€we€received€many€comments€asking€us€to€assign€a€status€under€this€regulation€based€on€a€label€or€title.€For€example,€many€commenters€asked€whetherÐ '' Ð"disease€management"€is€a€"health€care€operation,"€or€whether€a€"pharmacy€benefits€manager"€is€a€covered€entity.€From€the€comments€and€our€fact-finding,€however,€weÐ þ'þ'  Ðlearned€that€these€terms€do€not€have€consistent€meanings€today;€rather,€they€encompass€diverse€activities€and€information€practices.€Further,€the€statutory€definitions€of€keyÐ ø(ø(! Ðterms€such€as€'health€care€provider'€and€'health€care€clearinghouse'€describe€functions,€not€specific€types€of€persons€or€entities.€To€respect€both€the€CongressionalÐ ò)ò)" Ðapproach€and€industry€evolution,€we€design€the€rule€to€follow€activities€and€functions,€not€titles€and€labels.Ð ì*ì*# ÐSimilarly,€many€comments€asked€whether€a€particular€person€would€be€a€"business€associate"€under€the€rule,€based€on€the€nature€of€the€person's€business.€Whether€aÐ Â,Â,$ Ðbusiness€associate€arrangement€must€exist€under€the€rule,€however,€depends€on€the€relationship€between€the€entities€and€the€services€being€performed,€not€on€the€type€ofÐ ¼-¼-% Ðpersons€or€companies€involved.Ð ¶.¶.& ÐOur€approach€is€also€significantly€informed€by€the€limited€jurisdiction€conferred€by€HIPAA.€In€large€part,€we€have€the€authority€to€regulate€those€who€create€and€discloseÐ Œ0Œ0' Ðhealth€information,€but€not€many€key€stakeholders€who€receive€that€health€information€from€a€covered€entity.€Again,€this€led€us€to€look€to€the€balance€between€the€burdenÐ †1†1( Ðon€covered€entities€and€need€to€protect€privacy€in€determining€our€approach€to€such€disclosures.€In€some€instances,€we€approach€this€dilemma€by€requiring€coveredÐ €2€2) Ðentities€to€obtain€a€representation€or€documentation€of€purpose€from€the€person€requesting€information.€While€there€would€be€advantages€to€legislation€regulating€such€thirdÐ ÜÜ Ðpersons€directly,€we€cannot€justify€abandoning€any€effort€to€enhance€privacy.Ð ÖÖ ÐIt€also€became€clear€from€the€comments€and€our€fact-finding€that€we€have€expectations€as€a€society€that€conflict€with€individuals'€views€about€the€privacy€of€healthÐ ¬¬ Ðinformation.€We€expect€the€health€care€industry€to€develop€treatment€protocols€for€the€delivery€of€high€quality€health€care.€We€expect€insurers€and€the€government€toÐ ¦¦ Ðreduce€fraud€in€the€health€care€system.€We€expect€to€be€protected€from€epidemics,€and€we€expect€medical€research€to€produce€miracles.€We€expect€the€police€toÐ    Ðapprehend€suspects,€and€we€expect€to€pay€for€our€care€by€credit€card.€All€of€these€activities€involve€disclosure€of€health€information€to€someone€other€than€our€physician.Ð šš ÐWhile€most€commenters€support€the€concept€of€health€privacy€in€general,€many€go€on€to€describe€activities€that€depend€on€the€disclosure€of€health€information€and€urge€usÐ pp Ðto€protect€those€information€flows.€Section€III,€in€which€we€respond€to€the€comments,€describes€our€approach€to€balancing€these€conflicting€expectations.Ð j j  ÐFinally,€we€note€that€many€commenters€were€concerned€that€this€regulation€would€lessen€current€privacy€protections.€It€is€important€to€understand€this€regulation€as€a€newÐ @ @  Ðfederal€floor€of€privacy€protections€that€does€not€disturb€more€protective€rules€or€practices.€Nor€do€we€intend€this€regulation€to€describe€a€set€of€a€"best€practices."€Rather,Ð : :  Ðthis€regulation€describes€a€set€of€basic€consumer€protections€and€a€series€of€regulatory€permissions€for€use€and€disclosure€of€health€information.€The€protections€are€aÐ 4 4  Ðmandatory€floor,€which€other€governments€and€any€covered€entity€may€exceed.€The€permissions€are€just€that,€permissive€--€the€only€disclosures€of€health€informationÐ ..  Ðrequired€under€this€rule€are€to€the€individual€who€is€the€subject€of€the€information€or€to€the€Secretary€for€enforcement€of€this€rule.€We€expect€covered€entities€to€rely€onÐ ((  Ðtheir€professional€ethics€and€use€their€own€best€judgements€in€deciding€which€of€these€permissions€they€will€use.Ð ""  ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjìmÝÝ  ÝòòCombining€Workability€with€New€Protectionsóó݃Zjìm6nÝÔ ÔnԌРøø ЌԀ$XþðXX$XþðÔó óÝ  ÝThis€rule€establishes€national€minimum€standards€to€protect€the€privacy€of€individually€identifiable€health€information€in€prescribed€settings.€The€standards€address€the€manyÐ ÎÎ Ðvaried€uses€and€disclosures€of€individually€identifiable€health€information€by€health€plans,€certain€health€care€providers€and€health€care€clearinghouses.€The€complexity€ofÐ ÈÈ Ðthe€standards€reflects€the€complexity€of€the€health€care€marketplace€to€which€they€apply€and€the€variety€of€subjects€that€must€be€addressed.€The€rule€applies€not€only€to€theР Ðcore€health€care€functions€relating€to€treating€patients€and€reimbursing€health€care€providers,€but€also€to€activities€that€range€from€when€individually€identifiable€healthÐ ¼¼ Ðinformation€should€be€available€for€research€without€authorization€to€whether€a€health€care€provider€may€release€protected€health€information€about€a€patient€for€lawÐ ¶¶ Ðenforcement€purposes.€The€number€of€discrete€provisions,€and€the€number€of€commenters€requesting€that€the€rule€recognize€particular€activities,€is€evidence€of€theÐ °° Ðsignificant€role€that€individually€identifiable€health€information€plays€in€many€vital€public€and€private€concerns.Ð ªª ÐAt€the€same€time,€the€large€number€of€comments€from€individuals€and€groups€representing€individuals€demonstrate€the€deep€public€concern€about€the€need€to€protect€theÐ €€ Ðprivacy€of€individually€identifiable€health€information.€The€discussion€above€is€rich€with€evidence€about€the€importance€of€protecting€privacy€and€the€potential€adverseÐ zz Ðconsequences€to€individuals€and€their€health€if€such€protections€are€not€extended.Ð tt ÐThe€need€to€balance€these€competing€interests€-€the€necessity€of€protecting€privacy€and€the€public€interest€in€using€identifiable€health€information€for€vital€public€and€privateÐ JJ Ðpurposes€-€in€a€way€that€is€also€workable€for€the€varied€stakeholders€causes€much€of€the€complexity€in€the€rule.€Achieving€workability€without€sacrificing€protection€meansÐ D D  Ðsome€level€of€complexity,€because€the€rule€must€track€current€practices€and€current€practices€are€complex.€We€believe€that€the€complexity€entailed€in€reflecting€thoseÐ >!>! Ðpractices€is€better€public€policy€than€a€perhaps€simpler€rule€that€disturbed€important€information€flows.Ð 8"8" ÐAlthough€the€rule€taken€as€a€whole€is€complicated,€we€believe€that€the€standards€are€much€less€complex€as€they€apply€to€particular€actors.€What€a€health€plan€or€coveredÐ $$ Ðhealth€care€provider€must€do€to€comply€with€the€rule€is€clear,€and€the€two-year€delayed€implementation€provides€a€substantial€period€for€trade€and€professionalÐ %% Ðassociations,€working€with€their€members,€to€assess€the€effects€of€the€standards€and€develop€policies€and€procedures€to€come€into€compliance€with€them.€For€individuals,Ð && Ðthe€system€may€look€substantially€more€complicated€because,€for€the€first€time,€we€are€ensuring€that€individuals€will€receive€detailed€information€about€how€theirÐ ü&ü&  Ðindividually€identifiable€health€information€may€be€used€and€disclosed.€We€also€provide€individuals€with€additional€tools€to€exercise€some€control€over€those€uses€andÐ ö'ö'! Ðdisclosures.€The€additional€complexity€for€individuals€is€the€price€of€expanding€their€understanding€and€their€rights.Ð ð(ð(" ÐThe€Department€will€work€actively€with€members€of€the€health€care€industry,€representatives€of€individuals€and€others€during€the€implementation€of€this€rule.€As€statedÐ Æ*Æ*# Ðelsewhere,€our€focus€is€to€develop€broader€understanding€of€how€the€standards€work€and€to€facilitate€compliance.€We€intend€to€provide€guidance€and€check€lists€asÐ À+À+$ Ðappropriate,€particularly€to€small€businesses€affected€by€the€rule.€We€also€will€work€with€trade€and€professional€associations€to€develop€guidance€and€provide€technicalÐ º,º,% Ðassistance€so€that€they€can€help€their€members€understand€and€comply€with€these€new€standards.€If€this€effort€is€to€succeed,€the€various€public€and€private€participantsÐ ´-´-& Ðinside€and€outside€of€the€health€care€system€will€need€to€work€together€to€assure€that€the€competing€interests€described€above€remain€in€balance€and€that€an€ethic€thatÐ ®.®.' Ðrecognizes€their€importance€is€established.Ð ¨/¨/( Ðâ âÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zj¬€ÝÝ  ÝòòEnforcementóó݃Zj¬€ö€ÝÔ ÔހԌР~1~1) ЌԀ$XþðXX$XþðÔó óÝ  ÝThe€Secretary€has€decided€to€delegate€her€responsibility€under€this€regulation€to€the€Department's€Office€for€Civil€Rights€(OCR).€OCR€will€be€responsible€for€enforcementÐ ÜÜ Ðâ âof€this€regulation.€Enforcement€activities€will€include€working€with€covered€entities€to€secure€voluntary€compliance€through€the€provision€of€technical€assistance€and€otherÐ ÖÖ Ðmeans;€responding€to€questions€regarding€the€regulation€and€providing€interpretations€and€guidance;€responding€to€state€requests€for€exception€determinations;€investigatingÐ ÐÐ Ðcomplaints€and€conducting€compliance€reviews;€and,€where€voluntary€compliance€cannot€be€achieved,€seeking€civil€monetary€penalties€and€making€referrals€for€criminalÐ ÊÊ Ðprosecution.Ð ÄÄ ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zj·„ÝÝ  ÝòòConsentóó݃Zj·„…ÝÔ Ôé„ԌРšš ЌԀ$XþðXX$XþðÔó óÝ  ÝòòCurrent€law€and€practiceóóÐ pp ÐThe€issue€that€drew€the€most€comments€overall€is€the€question€of€when€individuals'€permission€should€be€obtained€prior€to€use€or€disclosure€of€their€health€information.€WeÐ F F  Ðlearned€that€individuals'€views€and€the€legal€view€of€'consent'€for€use€and€disclosure€of€health€information€are€different€and€in€many€ways€incompatible.€Comments€fromÐ @ @  Ðindividuals€revealed€a€common€belief€that,€today,€people€must€be€asked€permission€for€each€and€every€release€of€their€health€information.€Many€believe€that€they€"own"€theÐ : :  Ðhealth€records€about€them.€However,€current€law€and€practice€do€not€support€this€view.Ð 4 4  ÐCurrent€privacy€protection€practices€are€determined€in€part€by€the€standards€and€practices€that€the€professional€associations€have€adopted€for€their€members.€ProfessionalÐ     Ðcodes€of€conduct€for€ethical€behavior€generally€can€be€found€as€opinions€and€guidelines€developed€by€organizations€such€as€the€American€Medical€Association,€AmericanÐ   ÐNurses'€Association,€the€American€Hospital€Association,€the€American€Psychiatric€Association,€and€the€American€Dental€Association.€These€are€generally€issued€thoughÐ þþ  Ðan€organization's€governing€body.€The€codes€do€not€have€the€force€of€law,€but€providers€often€recognize€them€as€binding€rules.Ð øø ÐOur€review€of€professional€codes€of€ethics€revealed€partial,€but€loose,€support€for€individuals'€expectations€of€privacy.€For€example,€the€American€Medical€Association'sÐ ÎÎ ÐCode€of€Ethics€recognizes€both€the€right€to€privacy€and€the€need€to€balance€it€against€societal€needs.€It€reads€in€part:€"conflicts€between€a€patient's€right€to€privacy€and€aÐ ÈÈ Ðthird€party's€need€to€know€should€be€resolved€in€favor€of€the€patient,€except€where€that€would€result€in€serious€health€hazard€or€harm€to€the€patient€or€others."€AMAР ÐPolicy€No€140.989.€See€also,€Mass.€Med.€Society,€òòPatient€Privacy€and€Confidentialityóó(1996),€at€14:Patients€enter€treatment€with€the€expectation€that€the€informationÐ ¼¼ Ðthey€share€will€be€used€exclusively€for€their€clinical€care.€Protection€of€our€patients'€confidences€is€an€integral€part€of€our€ethical€training.These€codes,€however,€do€notÐ ¶¶ Ðapply€to€many€who€obtain€information€from€providers.€For€example,€the€National€Association€of€Insurance€Commissioners€model€code,€"Health€Information€PrivacyÐ °° ÐModel€Act"(1998),€applies€to€insurers€but€has€not€been€widely€adopted.€Codes€of€ethics€are€also€often€written€in€general€terms€that€do€not€provide€guidance€to€providersÐ ªª Ðand€plans€confronted€with€specific€questions€about€protecting€health€information.Ð ¤¤ ÐState€laws€are€a€crucial€means€of€protecting€health€information,€and€today€state€laws€vary€dramatically.€Some€states€defer€to€the€professional€codes€of€conduct,€othersÐ zz Ðprovide€general€guidelines€for€privacy€protection,€and€others€provide€detailed€requirements€relating€to€the€protection€of€information€relating€to€specific€diseases€or€to€entireÐ tt Ðclasses€of€information.€Cf.,€D.C.€Code€Ann.€ðð2-3305.14(16)€and€Haw.€Rev.€Stat.€323C,€et€seq.€In€general,€state€statutes€and€case€law€addressing€consent€to€use€ofÐ nn Ðhealth€information€do€not€support€the€public's€strong€expectations€regarding€consent€for€use€and€disclosure€of€health€information.€Only€about€half€of€the€states€have€aÐ hh Ðgeneral€law€that€prohibits€disclosure€of€health€information€without€patient€authorization€and€some€of€these€are€limited€to€hospital€medical€records.Ð b b  ÐEven€when€a€state€has€a€law€limiting€disclosure€of€health€information,€the€law€typically€exempts€many€types€of€disclosure€from€the€authorization€requirement.€GeorgetownÐ 8"8" ÐStudy,€Key€Findings;€Lisa€Dahm,€"50-State€Survey€on€Patient€Health€Care€Record€Confidentiality,"€American€Health€Lawyers€Association€(1999).€One€of€the€mostÐ 2#2# Ðcommon€exemptions€from€a€consent€requirement€is€disclosure€of€health€information€for€treatment€and€related€purposes.€See,€e.g.,€Wis.Stat.€ðð€164.82;€Cal.€Civ.€CodeÐ ,$,$ Ð56:10;€National€Conference€of€Commissioners€on€Uniform€State€Laws,€òòUniform€Health-Care€Information€Act,€Minneapolis,€MN,€August€9,€1985óó.€Some€states€includeÐ &%&% Ðutilization€review€and€similar€activities€in€the€exemption.€See,€e.g.,€Ariz.€Rev.€Stat.€ðð€12-2294.€Another€common€exemption€from€consent€is€disclosure€of€health€informationÐ  & &  Ðfor€purposes€of€obtaining€payment.€See,€e.g.,€Fla.€Stat.€Ann.€ðð€455.667;€Tex.€Rev.€Civ.€Stat.€Art.€4495,€ðð€5.08(h);€410€Ill.€Comp.€Stat.€50/3(d).€Other€commonÐ ''! Ðexemptions€include€disclosures€for€emergency€care,€and€for€disclosures€to€government€authorities€(such€as€a€department€of€public€health).€See€Gostin€Study,€at€1-2;Ð ((" Ð48-51.€Some€states€also€exempt€disclosure€to€law€enforcement€officials€(e.g.,€Massachusetts,€Ch.€254€of€the€Acts€of€2000),€coroners€(Wis.€Stat.€ðð€146.82),€and€for€suchÐ ))# Ðpurposes€as€business€operations,€oversight,€research,€and€for€directory€information.€Under€these€exceptions,€providers€can€disclose€health€information€without€any€consentÐ **$ Ðor€authorization€from€the€patient.€When€states€require€specific,€written€authorization€for€disclosure€of€health€information,€the€authorizations€are€usually€only€required€forÐ ++% Ðcertain€types€of€disclosures€or€certain€types€of€information,€and€one€authorization€can€suffice€for€multiple€disclosures€over€time.Ð ü+ü+& ÐThe€states€that€do€not€have€laws€prohibiting€disclosure€of€health€information€impose€no€specific€requirements€for€consent€or€authorization€prior€to€release€of€healthÐ Ò-Ò-' Ðinformation.€There€may,€however,€be€other€controls€on€release€of€health€information.€For€instance,€most€health€care€professional€licensure€laws€include€general€prohibitionsÐ Ì.Ì.( Ðagainst€'breaches€of€confidentiality.'€In€some€states,€patients€can€hold€providers€accountable€for€some€unauthorized€disclosures€of€health€information€about€them€underÐ Æ/Æ/) Ðvarious€tort€theories,€such€as€invasion€of€privacy€and€breach€of€a€confidential€relationship.€While€these€controls€may€affect€certain€disclosure€practices,€they€do€not€amountÐ À0À0* Ðto€a€requirement€that€a€provider€obtain€authorization€for€each€and€every€disclosure€of€health€information.Ð º1º1+ ÐFurther,€patients€are€typically€not€given€a€choice;€they€must€sign€the€"consent"€in€order€to€receive€care.€As€the€Georgetown€Study€points€out,€"In€effect,€the€authorizationÐ ÜÜ Ðmay€function€more€as€a€waiver€of€consent€--€the€patient€may€not€have€an€opportunity€to€object€to€any€disclosures."€Georgetown€Study,€Key€Findings.Ð ÖÖ ÐIn€the€many€cases€where€neither€state€law€nor€professional€ethical€standards€exist,€the€only€privacy€protection€individuals€have€is€limited€to€the€policies€and€procedures€thatÐ ¬¬ Ðthe€health€care€entity€adopts.€Corporate€privacy€policies€are€often€proprietary.€While€several€professional€associations€attached€their€privacy€principles€to€their€comments,Ð ¦¦ Ðhealth€care€entities€did€not.€One€study€we€found€indicates€that€these€policies€are€not€adequate€to€provide€appropriate€privacy€protections€and€alleviate€public€concern.€TheÐ    ÐCommittee€on€Maintaining€Privacy€and€Security€in€Health€Care€Applications€of€the€National€Information€Infrastructure€made€multiple€findings€highlighting€the€need€forÐ šš Ðheightened€privacy€and€security,€including:Finding€5:€The€greatest€concerns€regarding€the€privacy€of€health€information€derives€from€widespread€sharing€of€patientÐ ”” Ðinformation€throughout€the€health€care€industry€and€the€inadequate€federal€and€state€regulatory€framework€for€systematic€protection€of€health€information.òòFor€the€Record:Ð ŽŽ ÐProtecting€Electronic€Health€Informationóó,€National€Academy€Press,€Washington€DC,€1997.Ð ˆ ˆ  ÐòòConsent€under€this€ruleóóÐ ^ ^  ÐIn€the€NPRM,€we€expressed€concern€about€the€coercive€nature€of€consents€currently€obtained€by€providers€and€plans€relating€to€the€use€and€disclosure€of€healthÐ 4 4  Ðinformation.€We€also€expressed€concern€about€the€lack€of€information€available€to€the€patient€during€the€process,€and€the€fact€that€patients€often€were€not€even€presentedÐ ..  Ðwith€a€copy€of€the€consent€that€they€have€signed.€These€and€other€concerns€led€us€to€propose€that€covered€entities€be€permitted€to€use€and€disclose€protected€healthÐ ((  Ðinformation€for€treatment,€payment€and€health€care€operations€without€the€express€consent€of€the€subject€individual.Ð ""  ÐIn€the€final€rule,€we€alter€our€proposed€approach€and€require,€in€most€instances,€that€health€care€providers€who€have€a€direct€treatment€relationship€with€their€patientsÐ øø Ðobtain€the€consent€of€their€patients€to€use€and€disclose€protected€health€information€for€treatment,€payment€and€health€care€operations.€While€our€concern€about€theÐ òò Ðcoerced€nature€of€these€consents€remains,€many€comments€that€we€received€from€individuals,€health€care€professionals,€and€organizations€that€represent€them€indicatedÐ ìì Ðthat€both€patients€and€practitioners€believe€that€patient€consent€is€an€important€part€of€the€current€health€care€system€and€should€be€retained.Ð ææ ÐProviding€and€obtaining€consent€clearly€has€meaning€for€patients€and€practitioners.€Patient€advocates€argued€that€the€act€of€signing€focuses€the€patient's€attention€on€theÐ ¼¼ Ðsubstance€of€the€transaction€and€provides€an€opportunity€for€the€patient€to€ask€questions€about€or€seek€modifications€in€the€provider's€practices.€Many€health€careÐ ¶¶ Ðpractitioners€and€their€representatives€argued€that€seeking€a€patient's€consent€to€disclose€confidential€information€is€an€ethical€requirement€that€strengthens€theÐ °° Ðphysician-patient€relationship.€Both€practitioners€and€patients€argued€that€the€approach€proposed€in€the€NPRM€actually€reduced€patient€protections€by€eliminating€theÐ ªª Ðopportunity€for€patients€to€agree€to€how€their€confidential€information€would€be€used€and€disclosed.Ð ¤¤ ÐWhile€we€believe€that€the€provisions€in€the€NPRM€that€provided€for€detailed€notice€to€the€patient€and€the€right€to€request€restrictions€would€have€provided€an€opportunityÐ zz Ðfor€patients€and€providers€to€discuss€and€negotiate€over€information€practices,€it€is€clear€from€the€comments€that€many€practitioners€and€patients€believe€the€approachÐ tt Ðproposed€in€the€NPRM€is€not€an€acceptable€replacement€for€the€patient€providing€consent.€To€encourage€a€more€informed€interaction€between€the€patient€and€theÐ nn Ðprovider€during€the€consent€process,€the€final€rule€requires€that€the€consent€form€that€is€presented€to€the€patient€be€accompanied€by€a€notice€that€contains€a€detailedÐ hh Ðdiscussion€of€the€provider's€health€information€practices.€The€consent€form€must€reference€the€notice€and€also€must€inform€the€patient€that€he€or€she€has€the€right€to€ask€theÐ b b  Ðhealth€care€provider€to€request€certain€restrictions€as€to€how€the€information€of€the€patient€will€be€used€or€disclosed.€Our€goal€is€to€provide€an€opportunity€for€and€toÐ \!\! Ðencourage€more€informed€discussions€between€patients€and€providers€about€how€protected€health€information€will€be€used€and€disclosed€within€the€health€care€system.Ð V"V" ÐWe€considered€and€rejected€other€approaches€to€consent,€including€those€that€involved€individuals€providing€a€global€consent€to€uses€and€disclosures€when€they€sign€upÐ ,$,$ Ðfor€insurance.€While€such€approaches€do€require€the€patient€to€provide€consent,€it€is€not€really€an€informed€one€or€a€voluntary€one.€It€is€also€unclear€how€a€consentÐ &%&% Ðobtained€at€the€enrollment€stage€would€be€meaningfully€communicated€to€the€many€providers€who€create€the€health€information€in€the€first€instance.€The€ability€to€negotiateÐ  & &  Ðrestrictions€or€otherwise€have€a€meaningful€discussion€with€the€front-line€provider€would€be€independent€of,€and€potentially€in€conflict€with,€the€consent€obtained€at€theÐ ''! Ðenrollment€stage.€In€addition,€employers€today€are€moving€toward€simplified€enrollment€forms,€using€check-off€boxes€and€similar€devices.€The€opportunity€for€anyÐ ((" Ðmeaningful€consideration€or€interaction€at€that€point€is€slight.€For€these€and€other€reasons,€we€decided€that,€to€the€extent€a€consent€can€accomplish€the€goal€sought€byÐ ))# Ðindividuals€and€providers,€it€must€be€focused€on€the€direct€interaction€between€an€individual€and€provider.Ð **$ ÐThe€comments€and€fact-finding€indicate€that€our€approach€will€not€significantly€change€the€administrative€aspect€of€consent€as€it€exists€today.€Most€direct€treatmentÐ Þ+Þ+% Ðproviders€today€obtain€some€type€of€consent€for€some€uses€and€disclosures€of€health€information.€Our€regulation€will€ensure€that€those€consents€cover€the€routine€uses€andÐ Ø,Ø,& Ðdisclosures€of€health€information,€and€provide€an€opportunity€for€individuals€to€obtain€further€information€and€have€further€discussion,€should€they€so€desire.Ð Ò-Ò-' ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚Zjp»ÝÝ  ÝòòAdministrative€Costsóó݃Zjp»º»ÝÔ Ô¢»ÔŒÐ ¨/¨/( ЌԀ$XþðXX$XþðÔó óÝ  ÝSection€1172(b)€of€the€Act€provides€that€"[a]ny€standard€adopted€under€this€part€[part€C€of€title€XI€of€the€Act]€shall€be€consistent€with€the€objective€of€reducing€theÐ ~1~1) Ðadministrative€costs€of€providing€and€paying€for€health€care."€The€privacy€and€security€standards€are€the€platform€on€which€the€remaining€standards€rest;€indeed,€the€designÐ x2x2* Ðof€part€C€of€title€XI€makes€clear€that€the€various€standards€are€intended€to€function€together.€Thus,€the€costs€of€privacy€and€security€are€properly€attributable€to€the€suite€ofÐ ÜÜ Ðadministrative€simplification€regulations€as€a€whole,€and€the€cost€savings€realized€should€likewise€be€calculated€on€an€aggregated€basis,€as€is€done€below.€Because€theÐ ÖÖ Ðprivacy€standards€are€an€integral€and€necessary€part€of€the€suite€of€Administrative€Simplification€standards,€and€because€that€suite€of€standards€will€result€in€substantialÐ ÐÐ Ðadministrative€cost€savings,€the€privacy€standards€are€"consistent€with€the€objective€of€reducing€the€administrative€costs€of€providing€and€paying€for€health€care."Ð ÊÊ ÐAs€more€fully€discussed€in€the€Regulatory€Impact€and€Regulatory€Flexibility€analyses€below,€we€recognize€that€these€privacy€standards€will€entail€substantial€initial€andÐ    Ðongoing€administrative€costs€for€entities€subject€to€the€rules.€It€is€also€the€case€that€the€privacy€standards,€like€the€security€standards€authorized€by€section€1173(d)€of€theÐ šš ÐAct,€are€necessitated€by€the€technological€advances€in€information€exchange€that€the€remaining€Administrative€Simplification€standards€facilitate€for€the€health€care€industry.Ð ”” ÐThe€same€technological€advances€that€make€possible€enormous€administrative€cost€savings€for€the€industry€as€a€whole€have€also€made€it€possible€to€breach€the€securityÐ ŽŽ Ðand€privacy€of€health€information€on€a€scale€that€was€previously€inconceivable.€The€Congress€recognized€that€adequate€protection€of€the€security€and€privacy€of€healthÐ ˆ ˆ  Ðinformation€is€a€òòsine€qua€nonóó€of€the€increased€efficiency€of€information€exchange€brought€about€by€the€electronic€revolution,€by€enacting€the€security€and€privacy€provisionsÐ ‚ ‚  Ðof€the€law.€Thus,€as€a€matter€of€policy€as€well€as€law,€the€administrative€standards€should€be€viewed€as€a€whole€in€determining€whether€they€are€"consistent€with"€theÐ | |  Ðobjective€of€reducing€administrative€costs.Ð v v  ÐÝ‚ZjGÝÔ€$XþðXX$XþðÔò òÔ  ÔÝ  ÝÝ‚ZjXÆÝÝ  ÝòòConsultationsóó݃ZjXÆ¢ÆÝÔ ÔŠÆԌРLL  ЌԀ$XþðXX$XþðÔó óÝ  ÝThe€Congress€required€the€Secretary€to€consult€with€specified€groups€in€developing€the€standards€under€sections€262€and€264.€Section€264(d)€of€HIPAA€specificallyÐ ""  Ðrequires€the€Secretary€to€consult€with€the€National€Committee€on€Vital€and€Health€Statistics€(NCVHS)€and€the€Attorney€General€in€carrying€out€her€responsibilities€underÐ  Ðthe€section.€Section€1172(b)(3)€of€the€Act,€which€was€enacted€by€section€262,€requires€that,€in€developing€a€standard€under€section€1172€for€which€no€standard€settingÐ  Ðorganization€has€already€developed€a€standard,€the€Secretary€must,€before€adopting€the€standard,€consult€with€the€National€Uniform€Billing€Committee€(NUBC),€theÐ  ÐNational€Uniform€Claim€Committee€(NUCC),€the€Workgroup€for€Electronic€Data€Interchange€(WEDI),€and€the€American€Dental€Association€(ADA).€Section€1172(f)Ð    Ðalso€requires€the€Secretary€to€rely€on€the€recommendations€of€the€NCVHS€and€consult€with€other€appropriate€federal€and€state€agencies€and€private€organizations.Ð  ÐWe€engaged€in€the€required€consultations€including€the€Attorney€General,€NUBC,€NUCC,€WEDI€and€the€ADA.€We€consulted€with€the€NCVHS€in€developing€theÐ ÚÚ ÐRecommendations,€upon€which€this€proposed€rule€is€based.€We€continued€to€consult€with€this€committee€by€requesting€the€committee€to€review€the€proposed€rule€andÐ ÔÔ Ðprovide€comments€prior€to€its€publication,€and€by€reviewing€transcripts€of€its€public€meeting€on€privacy€and€related€topics.€We€consulted€with€representatives€of€theÐ ÎÎ ÐNational€Congress€of€American€Indians,€the€National€Indian€Health€Board,€and€the€self€governance€tribes.€We€also€met€with€representatives€of€the€National€Governors'Ð ÈÈ ÐAssociation,€the€National€Conference€of€State€Legislatures,€the€National€Association€of€Public€Health€Statistics€and€Information€Systems,€and€a€number€of€other€stateР Ðorganizations€to€discuss€the€framework€for€the€proposed€rule,€issues€of€special€interests€to€the€states,€and€the€process€for€providing€comments€on€the€proposed€rule.Ð ¼¼ ÐMany€of€these€groups€submitted€comments€to€the€proposed€rule,€and€those€were€taken€into€account€in€developing€the€final€regulation.Ð ’’ ÐIn€addition€to€the€required€consultations,€we€met€with€numerous€individuals,€entities,€and€agencies€regarding€the€regulation,€with€the€goal€of€making€these€standards€asÐ hh Ðcompatible€as€possible€with€current€business€practices,€while€still€enhancing€privacy€protection.€During€the€open€comment€period,€we€met€with€dozens€of€groups.Ð b b  ÐRelevant€federal€agencies€participated€in€the€interagency€working€groups€that€developed€the€NPRM€and€the€final€regulation,€with€additional€representatives€from€allÐ 8"8" Ðoperating€divisions€and€many€staff€offices€of€HHS.€The€following€federal€agencies€and€offices€were€represented€on€the€interagency€working€groups:€the€Department€ofÐ 2#2# ÐJustice,€the€Department€of€Commerce,€the€Social€Security€Administration,€the€Department€of€Defense,€the€Department€of€Veterans€Affairs,€the€Department€of€Labor,€theÐ ,$,$ ÐOffice€of€Personnel€Management,€and€the€Office€of€Management€and€Budget.