Final Rule for Standards for Privacy of Individually Identifiable Health Information

Final Rule for Standards for Privacy of Individually Identifiable Health Information

Analysis by the AHIMA Policy and Government Relations Team

Background and History

As noted at the beginning of this document, the final HIPAA privacy rule was published in the Federal Register on December 28, 2000. The content of the final rule was determined on the basis of the content of and comments to the NPRM published in November of 1999, as well as "fact finding" meeting conducted by DHHS and members of the (Clinton) White House staff. AHIMA members and staff were involved in some of the fact-finding meetings.

More than 50,000 comments were made to the proposed Rule. The final Rule's comment section (65FR82565) groups these comments and the Secretary's comments. As noted above a reading of this section will provide greater depth on the rationale DHHS used in promulgating the final Rule.

The final Rule's preamble (65FR82463) gives a detailed history and philosophy behind the Rule and the federal government's approach. It should be noted that while these privacy regulations were included under the HIPAA administrative simplification umbrella, Congress and the administration embraced a much larger goal than the privacy protection of electronic data transactions. It is for that reason that the HIPAA law and the Privacy Rule fall short on some of the protections that AHIMA and other organizations sought to achieve.

Between the signing of HIPAA and the final Rule there was hope that the Congress would pass additional legislation to make up for the deficiencies in the privacy requirements of HIPAA and what the Secretary could and could not include in regulation. Unfortunately, no legislation was passed. Readers of the Rule will see several suggestions by the Secretary for more legislation, and it will be up to the Congress to fill in these gaps, or individuals will quickly find the limits to protection this Rule provides.

Many see this Rule as a first step. It is applying confidentiality to an environment that is in transition from paper to electronic media. The HIPAA security rule and the enforcement rule will also have considerable bearing on the implementation of this Privacy Rule. At present, these rules are expected to be released in 2001, but no dates have been set.

Go to next section: Resources.

Go to previous section, Reaction to AHIMA's Previous Comments.

Go to document index.