By using this website you allow us to place cookies on your computer. Please read our Privacy Policy for more details.

Health Information Standards, Privacy, and Security: HIPAA's Administrative Simplification Regulations

View Publication


 

Publication Date: June 2001

Publisher: Library of Congress. Congressional Research Service

Author(s):

Research Area: Health

Type:

Abstract:

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) instructed the Secretary of Health and Human Services (HHS) to issue standards to support the electronic transmission of health information. HIPAA also gave Congress 3 years to enact health privacy legislation, otherwise the Secretary was required to develop health privacy standards. Congress failed to meet its own deadline, so Clinton Administration issued a health privacy rule on December 28, 2000. The rule took effect on April 14, 2001.

The privacy rule gives patients the right to inspect and amend their medical records and restricts access to and disclosure of individually identifiable health information. Health care providers must obtain a patient's general consent to use or disclose their medical information for treatment, payment, and other health care operations. In addition, both health plans and providers must obtain a patient's specific authorization in order to use and disclose information for non-routine and most non-health care purposes. The rule specifies certain national priority activities for which health information may be disclosed without a patient's authorization.

Hospitals, health insurers, and pharmaceutical companies claim the privacy rule will compromise patient care by placing unacceptable restrictions on access to health information and be extremely costly to implement. They are especially critical of the rule's general consent provision and the requirement that, with the exception of treatment-related disclosures, providers and health plans use or disclose no more than the minimum amount of information necessary to accomplish the intended purpose. Industry groups have also criticized the rule for requiring providers and plans to enter into contracts with their business associates to ensure that these groups, which are not directly covered under HIPAA, adhere to the same privacy protections. In response to industry concerns, HHS will soon release a guidance document to help covered entities implement the privacy rule. Patient privacy advocates strongly support the rule, though they too have concerns. HIPAA did not grant HHS the authority to cover all entities that handle medical information, nor did it give patients the right to sue for violations of their health information privacy. Consumer advocates have urged HHS not to weaken any of the rule's privacy protections.

Under HIPAA, HHS is also developing electronic health information standards. On August 17, 2000, HHS issued standards that specify the content and format for electronic health care claims and other common health care transactions. The transactions standards are intended to reduce the administrative burden on health plans and providers, which today exchange information using many different paper and electronic formats. On August 12, 1998, HHS proposed a set of administrative, physical, and technical security standards, which health plans and providers must include in their operations to safeguard confidential patient information against unauthorized access, use, and disclosure. A final security rule is expected later this year. Lawmakers have introduced two bills (S. 836, H.R. 1975) that would delay implementation of HIPAA until all the standards and enforcement regulations, with the exception of the privacy rule, are published in final form.