Final Rule for Standards for Privacy of Individually Identifiable Health Information

Analysis by the AHIMA Policy and Government Relations Team 

This entire document is also available as a single PDF (portable document format) file. It is a very large file (86 pages, 520K) and may take sometime to download. 

Amid fanfare that included a presidential address, the Department of Health and Human Services (DHHS), released the final rule [Rule or Privacy Rule] for "Standards for Privacy of Individually Identifiable Health Information" in December 2000. The rule, which has been controversial since its beginnings, is the second administrative simplification regulation to be released as a result of the 1996 Health Insurance Portability and Accountability Act (HIPAA) Public Law 104-191.

AHIMA's analysis will cover the rule itself, any expected effects on health information management (HIM), and resources for further information, training, and implementation. HIM professionals should note that the rule contains both procedural and "legal" requirements and has a compliance date two years after its effective date. The rule is also substantially different than that proposed by DHHS in November 1999. Given the controversy and attention this rule continues to receive, it is very possible that there could be changes to the rule before it is actually implemented. While it would not be prudent to wait to begin implementing this Rule readers are encouraged to regularly monitor AHIMA's Web site for any developments, changes, delays, or additions that might occur over the next few years. AHIMA will continue to keep you posted.

While this analysis highlights much of the 367 pages in the final rule, it is not a substitute for a close review of the entire rule. The rule was written by a large group of federal staff members with both complementary and contrasting styles. Many parts of the Rule are very detailed and somewhat confusing. This analysis attempts to provide a nonlegal perspective on such language. There are points within the Rule where this analysis drops or ignores a section because it essentially says: "The rule is to obey the Rule." On the other hand, where appropriate, this analysis contains the exact wording of the Rule in quotations, because the language is what will be used to hold a covered entity accountable.

The actual rule itself is only 31 pages long, but given the detail and legal aspects of the regulation, it will be important to review all sections closely. The final rule was published essentially in four sections:

• Pages 65FR82462-82565 cover background, history, and a section-by-section review of the proposed and final rule. The review assists with specific detail, on any single section of the final rule.

 
• Pages 65FR82565-82758 cover general comments, section-by-section. Here the discussion responds to more than 50,000 commentaries (grouped). For this particular Rule, this section is well worth your reading time and also provides details that explain the "why" behind some of the final Rule's sections.

 
• Pages 65FR82758-82798 cover the final regulatory impact analysis. The Secretary of the Department of Health and Human Services (Secretary) is suggesting that the overall costs of implementation will cost the healthcare¹ industry $17.6 billion dollars over ten years. This section will create significant discussion in the months to come. You will have to decide if you agree with the amounts in question, but this section does provide some thinking about what activities must be implemented over the next several years.

 
• Pages 65FR82798-82829 cover the final Rule language. Our commentary is primarily based on this section. The language and content constitutes what covered entities must comply with.

This analysis includes:

• Information Regarding the Rule Publication

• Effective Dates

• What the Rule Covers
• Application to Specific Entities
• Health Care Provider
• Direct treatment relationship
• Indirect treatment relationship
• Health Care Clearinghouse
• Health Plan
• Business Associate

 
• Definitions

 
• Preemption of State [and other] Law[s]
• "Contrary" and "More Stringent"

 
• Uses and Disclosure of Protected Health Information: General Rules
• Minimum Necessary
• Organized Health Care Arrangement
• Payment

 
• Uses and Disclosures of De-Identified Protected Health Information
• Uses and Disclosures to Create De-Identified Information
• De-Identification of PHI
• Disclosures to Business Associates
• Rules Related to Individuals or Parties
• Uses and Disclosures Consistent With Notice
• Disclosures by Whistleblowers and Workforce Member Crime Victims
• Disclosures by Whistleblowers
• Disclosures by Workforce Members Who Are Victims of a Crime

 
• Uses and Disclosures: Organizational Requirements
• Hybrid Entities
• Affiliated Covered Entities
• Business Associate Contracts
• Requirements for Group Health Plans
• Requirements for a Covered Entity with Multiple Covered Functions

 
• Consent for Use or Disclosures to Carry Out Treatment, Payment, or Health Care Operations
• Consent Requirement
• Resolving Conflicting Consents and Authorizations
• Joint Consents

 
• Uses and Disclosures for Which an Authorization Is Required
• Authorizations for Uses and Disclosures
• Psychotherapy Notes

 
• Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object
• Use and Disclosure for Facility Directories
• Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes
• Use and Disclosure for Disaster Relief Purposes

 
• Use and Disclosures for Which Consent, an Authorization, or Opportunity to Agree or Object Is Not Required
• Uses and Disclosure Required by Law
• Uses and Disclosure for Public Health Activities
• Disclosure About Victims of Abuse, Neglect or Domestic Violence
• Uses and Disclosures for Health Oversight Activities
• Disclosures for Judicial and Administrative Proceedings
• Disclosure for Law Enforcement Purposes
• Uses and Disclosures About Decedents
• Uses and Disclosures for Research Purposes
• Uses and Disclosures to Avert a Serious Threat to Health or Safety
• Uses and Disclosure for Specialized Government Functions
• Correctional Institutions and Other Law Enforcement Custodial Situations
• Disclosure for Workers’ Compensation
• Presidential Executive Order: To Protect the Privacy of Protected Health Information in Oversight Investigations

 
• Other Requirements Relating to Uses and Disclosures of Protected Health Information
• Uses and Disclosures of PHI for Marketing
• Uses and Disclosures for Fundraising
• Uses and Disclosures for Underwriting and Related Purposes
• Verification Requirement

 
• Notice of Privacy Practices for Protected Health Information
• Notice of Privacy Practices-Right to Notice

 
• Rights to Request Privacy Protection for Protected Health Information
• Right of an Individual to Request Restriction of Uses and Disclosures of PHI
• Confidential Communication Requirements

 
• Access of Individuals to Protected Health Information
• Access to PHI-Right of Access

 
• Amendment of Protected Health Information
• Right to Amend

 
• Accounting of Disclosures of Protected Health Information
• Right to an Accounting of Disclosures of PHI

 
• Administrative Requirements
• Personnel Designations-Privacy Officer
• Training
• Safeguards
• Complaints to the Covered Entity
• Sanctions
• Mitigation
• Refraining From Intimidating or Retaliatory Acts
• Waiver of Rights
• Policies and Procedures
• Changes to Policies or Procedures
• Change in Law
• Documentation
• Group Health Plans

 
• Modifications

 
• Transition Provisions
• Effect of Prior Consents and Authorizations

 
• Compliance and Enforcement

 
• Complaints to the Secretary

 
• Secretarial Action Regarding Complaints and Compliance Reviews

 
• Reaction to AHIMA’s Previous Comments

 
• Background and History

 
• Resources

Information Regarding the Rule Publication

Titled "Standards for Privacy of Individually Identifiable Health Information," the Rule can be found in the Federal Register, Vol. 65, No. 250, Pages 82462-82829, published on Thursday, December 28, 2000. Two companion notices were published in the Federal Register:

• Tuesday, December 26, 2000-Executive Order 13181 "To Protect the Privacy of Protected Health Information in Oversight Investigations" (65FR81321)² and
• Friday, December 29, 2000-"Technical Corrections to the Standards for Privacy of Individually Identifiable Health Information Published December 28, 2000" (65FR82944).

Copies of the Federal Register can be purchased individually from the Superintendent of Documents. However, it will take several weeks to receive a copy³  A much easier way to obtain a copy is to access the Federal Register and Government Printing Office Web site at http://www.access.gpo.gov/su_docs/fedreg/a001228c.html. Downloading the Rule requires the use of Adobe Acrobat Software, which is available for free at the GPO Web Site. The software is safe to download and use. Access to the Rule will also be available at other Web sites listed in the "resource" section of this analysis.

Similar access to the two companion documents can be found at: http://www.access.gpo.gov/su_docs/fedreg/a001226c.html for the Executive Order and http://www.access.gpo.gov/su_docs/fedreg/a001229c.html for the Technical Corrections.

Effective Dates

While this final Rule was published on December 28, 2000, it's effective date, originally posted as February 26, 2001, now stands as April 14, 2001. The change in dates was due to a technical error made by DHHS that was not corrected until mid-February. Congress could technically rescind or change the legislation sustaining the Rule. While there has been much debate on the Rule, it does not appear that the effective date will be changed at this writing.

Presuming that the Rule's effective date is not delayed, the implementation dates, or "compliance by" dates will be (§164.534) April 14, 2003 for all covered entities except those designated as "small health plans,"⁴ whose "compliance by" date will be February 26, 2004.

Go to What the Rules Cover: Application to Specific Entities.