of the HIPAA Final Privacy Regulations
Insurance Portability and Accountability Act (HIPAA)
of 1996 is a broad federal law, only part of which
is intended to protect the privacy of health care information.
HIPAA required Congress to enact a health information
privacy law by August 1999 and stated that if it did
not act by then (as it did not), then the U.S. Department
of Health and Human Services (DHHS) must develop privacy
regulations. DHHS proposed regulations in November 1999,
and following a public comment period in which it received
more than 52,000 comments, published a final rule at
the end of December 2000.
January 2001, the Bush Administration put the Privacy
Rule on hold and, in February, reopened it for public
comment. President Bush then lifted the hold, indicating
that changes would follow in response to the comments,
but confirming the rule's effective date of April 14,
2001. The rule requires compliance by April 14, 2003
(two years after the effective date).
Notably, DHHS proposed many changes to the rule in March
2002, and after further public comment, published a
"new" final version on August 14, 2002. Despite
the recent changes, the compliance deadline remains
April 14, 2003.
Why Was the Rule Issued?
intent of the rule is to protect the privacy of individuals'
health care information. It creates a federal "floor"
of protection so that every person in this country has
at least the same basic rights and protections, though
some may have additional rights depending on state law.
Whom Does the Rule Cover?
The Privacy Rule directly regulates three types of "covered
entities": health care providers (including individuals
and organizations), health plans (including insurers
and other payors), and health care clearinghouses (entities,
such as billing services, that process health information
from nonstandard into standard forms or vice versa).
Most components of and individuals within Partners HealthCare
System, Inc. ("Partners") are health care
providers; however, Partners itself and Partners Community
HealthCare, Inc. ("PCHI") are considered clearinghouses
because of certain billing-related functions they perform.
for Partners, the Privacy Rule allows separate covered
entities that are under common ownership or control
to designate themselves as one covered entity. Partners
has elected this option, and therefore Partners, PCHI,
and affiliated hospitals and providers are considered
to be one affiliated covered entity. This option offers
valuable efficiencies (such as use of common forms and
policies, and easier sharing of health information for
treatment and other purposes within the system). Significant
coordination, however, is needed for compliance.
B. Business Associates
While the Privacy Rule covers only the aforementioned
three entities, it expands the reach of its protections
by requiring that covered entities obtain written confidentiality
assurances from their business associates. Business
associates are defined as individuals or entities outside
of the Partners system that receive, create, or have
access to individually identifiable health information
and (1) perform a service on behalf of Partners or its
affiliates, or (2) fit within the list of specific service
providers (i.e., outside legal, actuarial, accounting,
consulting, management, administrative, accreditation,
data aggregation, and financial services).
The written assurance (which may be in a stand-alone
agreement or part of a larger contract) must include
several provisions: for example, restrictions on how
the business associate may use or release identifiable
health care information, promises to protect such information
and to return or destroy it at the end of the contract,
and assurances to make such information available for
compliance purposes. If a covered entity knows that
its business associate has violated these provisions,
the covered entity must take reasonable steps to correct
the problem and terminate the contract (in most cases)
if such steps fail.
What Health Information Is Covered?
Protected Health Information (PHI)
The Privacy Rule protects individually identifiable
health information that a covered entity creates or
receives, whether in electronic, paper, or verbal form
("Protected Health Information" or "PHI").
The definition is broad and includes information relating
to the past, present, or future physical or mental health
of a person, the provision of health care to a person,
and payment for health care. The rule covers one's PHI
for as long as the covered entity retains it; hence,
decedents' health information is protected by this rule.
B. Deidentified Information
The Rule does not apply to deidentified health information.
It permits deidentification in two ways: (1) a qualified
statistician or expert must determine that the risk
of reidentification is "very small" and must
document the methods used to reach that conclusion;
or (2) 18 identifiers must be removed, and the covered
entity must not have actual knowledge that the remaining
information could be used to identify an individual.
The identifiers of the individual -- and of relatives,
employers, or household members of the individual --
that must be removed include:
(2) All geographic subdivisions smaller than a State,
including street address, city, county, precinct,
zip code, and their equivalent geocodes, except for
the initial three digits of a zip code in certain
(3) All elements of date (except year) for dates directly
related to an individual, including birth date, discharge
date, date of death; and all ages over 89 and all
elements of dates (including year) indicative of such
age, except that such ages and elements may be aggregated
into a single category of age 90 or older;
(4) Telephone numbers;
(5) Fax numbers;
(6) Electronic mail addresses;
(7) Social security numbers;
(8) Medical record numbers;
(9) Health plan beneficiary numbers;
(10) Account numbers;
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers, including
license plate numbers;
(13) Device identifiers and serial numbers;
(14) Web Universal Resource Locators (URLs);
(15) Internet Protocol (IP) address numbers;
(16) Biometric identifiers, including finger and voice
(17) Full face photographic images and any comparable
(18) Any other unique identifying number, characteristic,
Limited Data Set: Option for Research, Operations, and
The final Privacy Rule (August 2002) introduced a new
category of information that may be used by an entity
or disclosed externally without triggering all of the
rule's requirements. This option is available only for
research, health care operations, and public health
purposes. DHHS requires many "direct" identifiers
to be removed, but certain information - such as dates
and geographic information without street address -
may be retained. Whoever receives the information must
agree to a "data use agreement" that describes
the permitted uses and disclosures of the information
received and prohibits any attempt to reidentify or
contact the individuals. Of note, the data use agreement
has fewer requirements than a business associate agreement.
researchers who remove most direct identifiers but need
to retain dates (e.g., date of birth, admission and
discharge date) and some geographic information may
do so without triggering all of the Privacy Rule requirements.
Because DHHS has defined only what may not be included
in a limited data set, it is possible that other information
may also be retained. The "minimum necessary"
standard (described below) still applies, but the requirement
of accounting for all disclosures of PHI does not apply
(also described below).
What Does the Rule Require?
general rule is that a covered entity may not use or
disclose PHI without an individual's written authorization,
except if permitted or required by the Privacy Rule.
Individuals have several rights that the covered entities
Select Operational Implications
Requirements: These include:
personnel (e.g., a privacy officer);
privacy policies and procedures to comply with
sanctions for violations;
a complaint process for patients;
the privacy notice and other policies and procedures.
(addressed further in a separate
to consent forms, policies, and procedures will
be needed. For example, a consent form for a clinical
trial will need to include all elements required
in an authorization to use or disclose PHI.
waiver of authorization is available from an IRB
only if the waiver criteria required by both the
Privacy Rule and the Common Rule are met. If authorization
is waived, the researcher must use or disclose
the minimum necessary PHI and must track all disclosures.
provisions permit grandfathering of consents obtained
and waivers approved before April 14, 2003. As
of that compliance date, however, researchers
will need to obtain authorizations or waivers
that comply with the Privacy Rule.
third parties supporting research activities (e.g.,
data storage companies) may be business associates,
in which case contracts must comply with the rule.
Fundraising requires an individual's authorization,
except for limited activities involving only demographic
information and date of service (without diagnostic
or treatment information).
Marketing: Marketing requires an individual's
authorization, except for face-to-face encounters
and promotional gifts of nominal value. In addition,
marketing is defined to exclude treatment-related
and E-health Activities: A covered entity with
a web site describing its services must post its notice
of privacy practices prominently on the site and make
the notice available electronically through the site.
review for compliance with the rule.
of Legal Counsel: A covered entity's outside legal
counsel is a business associate when the representation
involves PHI. The minimum necessary standard applies,
but an entity may rely on its counsel's judgment regarding
the extent of information needed.
How Does the Privacy Rule Affect Other Laws?
The Privacy Rule generally preempts conflicting state
law, with certain exceptions. For example, a state
law that offers stricter privacy protections will
B. Interaction with Other Federal Laws
HHS explains in its preamble how the privacy rule
interacts with other federal laws. A full discussion
of this is not possible here, but case-by-case analysis
will be needed.
How Will HHS Enforce the Rule?
The rule permits compliance reviews by HHS and the filing
of complaints by individuals, which HHS may investigate.
HIPAA authorizes both civil and criminal penalties,
including significant fines and imprisonment.
final privacy rule is available on-line at http://aspe.hhs.gov/admnsimp/pl104191.htm
or through http://www.hhs.gov.