HIPAA privacy: the compliance challenges ahead

This Article reviews the HIPAA Privacy Standards' impact on healthcare organizations. It discusses whether a healthcare organization is a "Covered Entity" under the regulations, what information the Privacy Standards protect, what restrictions the regulations place on the use and disclosure of protected health information, what individual rights the Privacy Standards create, and what agreements they require between healthcare organizations and their business associates. The author provides relatively extensive guidance to organizations that are embarking upon their voyage of compliance with these broadly applicable regulations, but notes that the full extent of necessary compliance remains unclear, pending DHHS issuance of the next iteration of the rulemaking in this area. The Article was finalized in January 2002, before HHS issued any modifications to the Privacy Standards.     

What litigators need to know about HIPAA

HIPAA's Privacy Regulations impose a number of new requirements on Covered Entities concerning disclosure of an individual's personal health information. This Article briefly outlines the primary function of HIPAA's general nondisclosure rule and discusses the exceptions under which HIPAA permits disclosure in the course of litigation or government investigations.     

Standards for privacy of individually identifiable health information. Final rule

The Department of Health and Human Services ("HHS' or "Department') modifies certain standards in the Rule entitled "Standards for Privacy of Individually Identifiable Health Information' ("Privacy Rule'). The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. The purpose of these modifications is to maintain strong protections for the privacy of individually identifiable health information while clarifying certain of the Privacy Rule's provisions, addressing the unintended negative effects of the Privacy Rule on health care quality or access to health care, and relieving unintended administrative burdens created by the Privacy Rule.     

Altered states: state health privacy laws and the impact of the Federal Health Privacy Rule

Although the Federal Health Privacy Rule has evened out some of the inconsistencies between states' health privacy laws, gaps in protection still remain. Furthermore, the Federal Rule contains some lax standards for the disclosure of health information. State laws can play a vital role in filling these gaps and strengthening the protections afforded health information. By enacting legislation that has higher privacy-protective standards than the Federal Health Privacy Rule, states can play three important roles. First, because they can directly regulate entities that are beyond HHS's mandate, states can afford their citizens a broader degree of privacy protection than the Federal Health Privacy Rule. Second, by having state health privacy laws, states can enforce privacy protections at the local level. Finally, action by the states can positively influence health privacy policies at the federal level by raising the standard as to what constitutes sufficient privacy protection. High privacy protections imposed by states may serve as the standard for comprehensive federal legislation, if and when Congress reconsiders the issue. So far, states' reactions to the Federal Privacy Rule have been mixed. Only time will tell whether states will assume the mantle of leadership on health privacy or relinquish their role as the primary protectors of health information.     

Privacy Act of 1974; notification of new routine use--Public Health Service

In accordance with the requirements of the Privacy Act, the Public Health Service (PHS) is publishing notice of a proposal to establish a new routine use permitting disclosure to contractors of information in the Privacy Act system of records 09-35-0044, "Health Professions Planning and Evaluation," HHS/HRA/OA.     

Bioterrorism meets privacy: an analysis of the Model State Emergency Health Powers Act and the HIPAA privacy rule

Ms. Bruce's paper analyzes the interplay between the Model State Emergency Health Powers Act and the HIPAA Privacy Rule. The article begins by examining specific relevant provisions of the Act and Rule. Next, it traces the history of public health law through the court system and then uses this foundation to discuss how the Model State Emergency Health Powers Act and the HIPAA Privacy Rule could co-exist, protecting Americans in the case of a bioterror attack, while being appropriately sensitive to the confidentiality of private health information.     

Disentangling privacy from property: toward a deeper understanding of genetic privacy

With the mapping of the human genome, genetic privacy has become a concern to many. People care about genetic privacy because genes play an important role in shaping us--our genetic information is about us, and it is deeply connected to our sense of ourselves. In addition, unwanted disclosure of our genetic information, like a great deal of other personal information, makes us vulnerable to unwanted exposure, stigmatization, and discrimination. One recent approach to protecting genetic privacy is to create property rights in genetic information. This Article argues against that approach. Privacy and property are fundamentally different concepts. At heart, the term "property" connotes control within the marketplace and over something that is disaggregated or alienable from the self. "Privacy," in contrast, connotes control over access to the self as well as things close to, intimately connected to, and about the self. Given these different meanings, a regime of property rights in genetic information would impoverish our understanding of that information, ourselves, and the relationships we hope will be built around and through its disclosure. This Article explores our interests in genetic information in order to deepen our understanding of the ongoing discourse about the distinction between property and privacy. It develops a conception of genetic privacy with a strong relational component. We ordinarily share genetic information in the context of relationships in which disclosure is important to the relationship--family, intimate, doctor-patient, researcher-participant, employer-employee, and insurer-insured relationships. Such disclosure makes us vulnerable to and dependent on the person to whom we disclose it. As a result, trust is essential to the integrity of these relationships and our sharing of genetic information. Genetic privacy can protect our vulnerability in these relationships and enhance the trust we hope to have in them. Property, in contrast, by connoting commodification, disaggregation, and arms-length dealings, can negatively affect the self and harm these relationships. This Article concludes that a deeper understanding of genetic privacy calls for remedies for privacy violations that address dignitary harm and breach of trust, as opposed to market harms, as the property model suggests.     

Legal audits and investigations: a key component of healthcare corporate compliance programs

In today's complex legal environment, healthcare organizations are increasingly implementing voluntary compliance programs as a means of avoiding severe penalties for violations of the law. The Office of the Inspector General has identified legal audits and investigations as key components of effective compliance programs. The author demonstrates the applicability of legal audits and investigations to healthcare organizations by examining the audit and investigation process from beginning to end. The author also examines the role of attorneys in legal audits and investigations, and explains how information communicated from the healthcare organization to its attorneys can be protected from disclosure. As this Article indicates, the monetary and human resource costs of such compliance audits and investigations are insignificant when compared to the potential costs of defending a legal action or paying monetary penalties.     

Privacy Act of 1974; system of records--PHS

In accordance with the Privacy Act, the Public Health Service (PHS) is publishing notice of a proposal to add a new routine use to system of records 00-37-0013. "Health Resources Utilization Statistics, HHS/OASH/NCHS." This system of records is maintained in the National Center for Health Statistics (NCHS) for the purposes of collecting statistics on the utilization of health services, processing and analyzing the data, and publication of the statistical findings. NCHS is proposing to add a new routine use to permit disclosure of information to a contractor. PHS invites interested persons to submit comments on or before January 11, 1984.     

Administrative simplification: adoption of a standard for a unique health plan identifier; addition to the National Provider Identifier requirements; and a change to the compliance date for the International Classification of Diseases, 10th Edition (ICD-10-CM and ICD-10-PCS) medical data code sets. Final rule

This final rule adopts the standard for a national unique health plan identifier (HPID) and establishes requirements for the implementation of the HPID. In addition, it adopts a data element that will serve as an other entity identifier (OEID), or an identifier for entities that are not health plans, health care providers, or individuals, but that need to be identified in standard transactions. This final rule also specifies the circumstances under which an organization covered health care provider must require certain noncovered individual health care providers who are prescribers to obtain and disclose a National Provider Identifier (NPI). Lastly, this final rule changes the compliance date for the International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) for diagnosis coding, including the Official ICD-10-CM Guidelines for Coding and Reporting, and the International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10-PCS) for inpatient hospital procedure coding, including the Official ICD-10-PCS Guidelines for Coding and Reporting, from October 1, 2013 to October 1, 2014.     

Confidentiality of genetic information in the workplace

This Article analyzes existing legal protections for the confidentiality of information collected through genetic screening or genetic monitoring in the workplace. It notes that there are a variety of protections, such as ethical codes for occupational physicians, statutes protecting health care information in the hands of the employers, and tort, contract and constitutional principles. It describes defenses to suits based on improper disclosure of medical information. The Article then analyzes legal bases for employee and third party access to the employee's genetic information. In response to gaps in existing legal protections, it suggests parameters for a model law protecting the confidentiality of genetic information collected in the workplace.     

Privacy Act of 1974; system of records--PHS. Notification of a proposal to add a routine use and to add a special disclosure statement to the existing system of records 09-37-0015

In accordance with the requirements of the Privacy Act and the Debt Collection Act of 1982 (Pub. L 97-365), the Public Health Service (PHS) is publishing notice of a proposal to add a new routine use and the (b)(12) special disclosure statement to consumer reporting agencies to system of records 09-37-0015, National Center for Health Services Research Grant Records System. The new routine use is for the purpose of determining credit worthiness of individual grant applicants of the National Center for Health Services Research (NCHSR).     

Privacy Act of 1974; proposed new routine uses--PHS. Notification of new routine uses permitting disclosure of information from four Privacy Act systems of records

In accordance with the requirements of the Privacy Act, the Public Health Service (PHS) is publishing notice of a proposal to establish new routine uses permitting disclosure of information from four Privacy Act systems of records maintained by the National Institutes of Health (NIH): 09-25-0008, "Administration: Radiation Workers Monitoring, HHS/NIH/ORS"; 09-25-0010, "Research Resources: Registry of Individuals Potentially Exposed to Microbial Agents, HHS/NIH/NCI"; 09-25-0077, "Clinical Research: Biological Carcinogenesis Branch Human Specimen Program, HHS/NIH/NCI"; and 09-25-0099, "Clinical Research: Patient Medical Records, HHS/NIH/CC." The NIH Office of Research Services (ORS) is responsible for the first of these systems. The National Cancer Institute (NCI), a component of NIH, maintains the second and third systems of records. The NIH Clinical Center (CC) maintains the fourth system. The new routine uses will allow disclosure to contractors for routine records keeping and processing activities. These disclosures will be wholly compatible with the purposes of these systems, as discussed below.     

The clinical trial research participant as an inside trader: a legal and policy analysis

This Article examines whether a participant in a clinical research trial for a drug obtains material nonpublic information about the drug and its manufacturer or licensor and, if so, whether the participant may lawfully trade securities based on that information. This issue has been noted but not examined in depth in several articles in recent years. After an introduction to the federal law of insider trading and a discussion of relevant aspects of a supervised research trial, the Article concludes that, absent an agreement to the contrary, the participant would be free to trade securities based on any material nonpublic information learned in the trial. The author evaluates the extent to which the information is material and nonpublic and then presents the policy issues surrounding whetherthe participantshould be precluded from trading when in possession of material nonpublic information gained as a result of participation in the trial. While not resolving the competing policy considerations, including the value of allowing participants to make disclosure of their experiences in the trial before publication of the results in a peer reviewed journal, the Article presents an approach for preventing the misuse of material nonpublic information gained in the clinical trial context, by obtaining an agreement from the participant, and an agreement from the limited circle of persons to whom the participant should be allowed to make disclosure in any event (such as his personal physician and family members), that would render any trading by them unlawful under the federal law of insider trading.     

Privacy Act of 1974; report of new routine use and minor revisions--SSA

In accordance with the Privacy Act (5 U.S.C. 552a(e)(11)), we are issuing public notice of our intent to establish a new routine use of information in the system of records entitled Master Files of Social Security Number (SSN) Holders, HHS/SSA/OSR, 09-60-0058. The proposed routine use will permit disclosure of information to organizations/agencies which are required by law to provide SSA with SSN information. We also have made minor revisions to the Federal Register notice applicable to the system. We invite public comments on this publication.     

Privacy Act of 1974; systems of records--PHS

In accordance with the requirements of the Privacy Act and the Debt Collection Act of 1932 (Pub. L. 97-365), the Public Health Service (PHS) is publishing a notice of a proposal to add three routine uses and a "special disclosure" statement to four systems of records in the Alcohol, Drug Abuse, and Mental Health Administration (ADAMHA). PHS invites interested persons to submit comments on the proposed routine uses on or before February 27, 1984.     

Medicaid program: computer matching and privacy protection for Medicaid eligibility--HCFA. Final rule

This final rule revises regulations concerning the income and eligibility verification system (IEVS) under the Medicaid program. It implements provisions of the Computer Matching and Privacy Protection Act of 1988 and the Computer Matching and Privacy Protection Amendments of 1990. These laws improve the oversight and procedures governing the disclosure of personal information used in computer matching programs and protect the privacy and due process rights of individuals whose records are exchanged by these programs.     

HIPAA standards for privacy of individually identifiable health information: an introduction to the consent debate

On March 27, 2002, DHHS published proposed amendments to the Privacy Standards under HIPAA. The most controversial of these changes is the removal of the requirement that providers obtain patient consent before using or disclosing protected health information for treatment, payment, and healthcare operations. Some see this change as a rejection of privacy rights, while others see it as an acknowledgement of practical reality. This comment introduces the reader to the issues that are debated immediately following in the articles by Geralyn A. Kidera and Kristen Rosati.     

Regulating through information: disclosure laws and American health care

Efforts to reform the American health care system through direct government action have failed repeatedly. Nonetheless, an alternative strategy has emerged from these experiences: requiring insurance organizations and health care providers to disclose information to the public. In this Article, Professor Sage assesses the justifications for this type of regulation and its prospects. In particular, he identifies and analyzes four distinct rationales for disclosure. He finds that the most commonly articulated goal of mandatory disclosure laws--improving the efficiency of private purchasing decisions by giving purchasers complete information about price and quality--is the most complicated operationally. The other justifications--which he respectively terms the agency, performance, and democratic rationales--hold greater promise, but make different, sometimes conflicting assumptions about the sources and uses of information. These insights have implications not only for health care, but also for other regulated practices and industries.