P6

Notes

1. “Medical Privacy and Confidentiality Survey,” California HealthCare Foundation, Final Topline, 1/10/99, available at: http://www.chcf.org/publications/1999/01/medical-privacy-and-confidentiality-survey.
2. California HealthCare Foundation, “National Consumer Health Privacy Survey 2005,” Conducted by Forrester Research, Inc.
3. The Privacy Rule went into effect on 4/14/01, and most providers and health plans were required to be in compliance with the law by 4/14/03.
4. 45 C.F.R. § 160.103.
5. 45 C.F.R. § 164.524(a)(1).
6. 45 C.F.R. § 164.501. The Privacy Rule defines individually identifiable health information as “a subset of health information, including demographic information collected from an individual” that (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. See 45 C.F.R. § 160.103.
7. 45 C.F.R. § 164.501.
8. 45 C.F.R. § 164.524(a)(1-2). See citation for more circumstances whereby a covered entity can deny access and refuse to allow the individual an opportunity for review of the denial.
9. Note that only “life or physical safety” is specified; possible harm to mental or emotional health is not a reason to deny access.
10. 45 C.F.R. § 164.524(a)(3). See citation for more circumstances whereby a covered entity can deny access but individuals also have a right to request a review of the denial.
11. 45 C.F.R. § 164.524(a)(3).
12. 45 C.F.R. § 164.524(b)(1). Often, covered entities may contract with “business associates” to perform some of the covered entity’s functions. In the business associate contract, the business associates must agree to make protected health information available for access, amendment, and accounting of disclosures. See 164.504(e)(2)(ii)(E-G).
13. If a covered entity needs more time to take action related to the individual’s request for access, it must, within 30 days, notify the individual with a written statement establishing the reasons for the delay and the date by which the covered entity will complete its action. The covered entity may only have one extension of time. See 45 C.F.R. § 164.524(b)(2)(iii).
14. 45 C.F.R. § 164.524(b).
15. 45 C.F.R. § 164.524(c)(2)(i).
16. 45 C.F.R. § 164.524(c). According to the Preamble to the Privacy Rule, 65 F.R. 82557, “If the individual requests a copy of protected health information, a covered entity may charge a reasonable, cost-based fee for the copying, including the labor and supply costs of copying. If hard copies are made, this would include the cost of paper. If electronic copies are made to a computer disk, this would include the cost of the computer disk. Covered entities may not charge any fees for retrieving or handling the information or for processing the request. If the individual requests the information to be mailed, the fee may include the cost of postage. Fees for copying and postage provided under state law, but not for other costs excluded under this rule, are presumed reasonable. If such per page costs include the cost of retrieving or handling the information, such costs are not acceptable under this rule.” Available at: http://aspe.hhs.gov/admnsimp/final/PvcPre02.htm.
17. 45 C.F.R. § 164.524(d).
18. 45 C.F.R. § 164.524(d)(4).
19. 45 C.F.R. § 164.526(a)(1).
20. It is important to note that any amendment made to an individual medical record is technically a supplement to that record. In other words, no information is discarded in the amendment process. Instead, information is added, identifying and amending the medical record. This process was designed primarily to ensure the integrity of the record and to protect the patient. See 45 C.F.R. § 164.526(c)(1).
21. 45 C.F.R. § 164.526(a-b).
22. 45 C.F.R. § 164.526(b)(2)(ii).
23. 45 C.F.R. § 164.526(c).
24. 45 C.F.R. § 164.526(d). The Privacy Rule also allows covered entities to include in future disclosures—in lieu of including the actual request, denials, disagreement statements, and rebuttals—“an accurate summary of any such information.” See 45 C.F.R. § 164.526(d)(4)-(5).
25. 45 C.F.R. § 164.526(d). The Privacy Rule requires covered entities to inform individuals that if a disagreement statement is not submitted, the individual may request that the covered entity attach the request and denial to any future disclosures. See 45 C.F.R. § 164.526(d)(1)(iii).The Privacy Rule also allows covered entities to include in future disclosures—in lieu of including the actual request, denials, disagreement statements, and rebuttals—“an accurate summary of any such information.” See 45 C.F.R. § 164.526(d)(4)-(5).
26. 45 C.F.R. § 164.526(d)(4).
27. 45 C.F.R. § 164.528(a).
28. Additionally, if a covered entity has made PHI disclosures for research purposes for 50 or more people, the accounting of disclosures may (with respect to such disclosures for which the PHI of the individual may have been included) provide: the name of the protocol or research activity; a description in plain language about the activity, including purpose and criteria for selecting records; a description of the type of PHI that was disclosed; when the disclosure occurred (date or period of time and the date of the last disclosure); contact information (name, address, and telephone number) of the entity that sponsored the research and of the researcher to whom the PHI was disclosed; and a statement that the PHI of the individual may or may not have been disclosed. If it is reasonably likely that the PHI of the individual was disclosed, and at the request of the individual, a covered entity must assist in contacting the entity or the researcher. See 45 C.F.R. § 164.528(b).
29. 45 C.F.R. § 164.528(c)(1)(ii). The covered entity is allowed only one 30-day extension.
30. 45 C.F.R. § 164.528(c).
31. Other exceptions include (i) for the facility’s directory or to persons involved in the individual’s care or other notification purposes; (ii) for national security or intelligence purposes; (iii) to correctional institutions or law enforcement officials for certain purposes; (iv) as part of a limited data set; or (v) that occurred prior to the compliance date for the covered entity. See 45 CFR 164.512(k)(2), 45 CFR 164.512(k)(5), and 45 C.F.R. § 164.514(e)(2).
32. 45 C.F.R. § 164.528.
33. According to 45 C.F.R. § 160.202, “contrary” means, when used to compare a provision of state law to a standard, requirement, or implementation specification adopted under this subchapter: (1) a covered entity would find it impossible to comply with both the state and federal requirements; or (2) the provision of state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub.L.104-191, as applicable.
34. 45 C.F.R. § 160.203(c), (d).
35. See 45 C.F.R. § 160.203(a) for more instances whereby the Secretary can make a determination where state law prevails. Section 45 C.F.R. § 160.204 outlines a process by which a request can be filed with the Secretary for such a determination. Any exception determination made by the Secretary applies to all persons subject to the state provision in question. When a determination is made, HHS will publish a notice in the Federal Register and on related HHS web sites. See HHS’s Office of Civil Rights, Frequently Asked Questions, Answer ID 407.
36. According to 45 C.F.R. § 160.202, “more stringent” means, in the context of a comparison of a provision of state law and a standard, requirement, or implementation specification, a state law that meets one or more of the following criteria: (1) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; (2) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information; (3) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration; (4) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information. 45 C.F.R. § 160.203(b) establishes that state laws that are more stringent are exempted from being preempted by the Privacy Rule.
37. Health Privacy Project, The State of Health Privacy: A Survey of State Health Privacy Statutes, Second Edition, 2002, formerly available at: http://www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm. See also State of New York, Department of Health, HIPAA preemption charts, October 15, 2002, available at: http://www.health.state.ny.us/nysdoh/hipaa/hipaa_preemption_charts.htm.
38. Health Privacy Project, The State of Health Privacy: A Survey of State Health Privacy Statutes, Second Edition, 2002, formerly available at: http://www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm.
39. Health Privacy Project, The State of Health Privacy: A Survey of State Health Privacy Statutes, Second Edition, 2002, formerly available at: http://www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm.
40. Health Privacy Project, The State of Health Privacy: A Survey of State Health Privacy Statutes, Second Edition, 2002, formerly available at: http://www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm.
41. Health Insurance and Portability and Accountability Act of 1996, Pub. L No. 104-191, 261, 110 Stat.1988 (1996).
42. The HIPAA Security Rule (with an April 2005 compliance date) provides detailed provisions related to how covered entities must protect electronic health information.
43. Like electronic health records (EHRs), personal health records (PHRs) can be Internet-based and are designed to provide easy access to important health-related information about patients. Unlike EMRs, however, PHRs would be controlled entirely by the patient and would include information provided by the patient.
44. 45 C.F.R. § 164.524(c)(2).
45. Available at: http://aspe.hhs.gov/admnsimp/ final/PvcPre02.htm.
46. See 164.504(e)(2)(ii)(E-G).
47. A sub-network organization (SNO) is to operate as a health information data exchange organization (whether regionally or affinity-based) that operates as a part of the National Health Information Network (NHIN), a nationwide environment for the electronic exchange of health information made up of a “network of networks.”
48. See Markle Connecting for Health, “The Architecture for Privacy in a Networked Health Information Environment.”
49. Markle Connecting for Health, “Clinical Data Exchange Efforts in the United States: An Overview,” Data Standards Working Group: Background Paper, available at: http://www.markle.org/publications/1259-appendix-clinical-data-exchange-efforts-united-states-overview
50. Liberty Alliance Project, “Introduction to the Liberty Alliance Identity Architecture,” March 2003.
51. Pam Abramowitz, “Be Prepared. Be Very Prepared: Hospitals Forging Ahead With IT Security Plans,” Health Care Finance, formerly available at: http://www.hcfinance.com/May/secure.html.

Markle Connecting for Health thanks Janlori Goldman, Research Scholar, Center on Medicine as a Profession, Columbia College of Physicians and Surgeons; Health Privacy Project, and Emily Stewart, formerly of the Health Privacy Project, for drafting this paper.