Introduction
The shift of medical records from paper to electronic formats has
increased the potential for individuals to access, use, and disclose
sensitive personal health data. Although protecting individual privacy is
a long-standing tradition among health-care providers and public health
practitioners in the United States, previous legal protections at the
federal, tribal, state, and local levels were inconsistent and inadequate.
A patchwork of laws provided narrow privacy protections for selected
health data and certain keepers of that data (1).
The U.S. Department of Health and Human Services (DHHS) has addressed
these concerns with new privacy standards that set a national minimum of
basic protections, while balancing individual needs with those of society.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
was adopted to ensure health insurance coverage after leaving an employer
and also to provide standards for facilitating health-care--related
electronic transactions. To improve the efficiency and effectiveness of
the health-care system, HIPAA included administrative simplification
provisions that required DHHS to adopt national standards for electronic
health-care transactions (2). At the same time, Congress recognized
that advances in electronic technology could erode the privacy of health
information. Consequently, Congress incorporated into HIPAA provisions
that mandated adoption of federal privacy protections for certain
individually identifiable health information.
The HIPAA Privacy Rule (Standards for Privacy of Individually
Identifiable Health Information) (3) provides the first national
standards for protecting the privacy of health information. The Privacy
Rule regulates how certain entities, called covered entities, use and
disclose certain individually identifiable health information, called
protected health information (PHI). PHI is individually identifiable
health information that is transmitted or maintained in any form or medium
(e.g., electronic, paper, or oral), but excludes certain educational
records and employment records. Among other provisions, the Privacy Rule
- gives patients more control over their health information;
- sets boundaries on the use and release of health records;
- establishes appropriate safeguards that the majority of health-care
providers and others must achieve to protect the privacy of health
information;
- holds violators accountable with civil and criminal penalties that
can be imposed if they violate patients' privacy rights;
- strikes a balance when public health responsibilities support
disclosure of certain forms of data;
- enables patients to make informed choices based on how individual
health information may be used;
- enables patients to find out how their information may be used and
what disclosures of their information have been made;
- generally limits release of information to the minimum reasonably
needed for the purpose of the disclosure;
- generally gives patients the right to obtain a copy of their own
health records and request corrections; and
- empowers individuals to control certain uses and disclosures of
their health information.
The deadline to comply with the Privacy Rule is April 14, 2003, for the
majority of the three types of covered entities specified by the rule [45
CFR § 160.102]. The covered entities are
- health plans,
- health-care clearinghouses, and
- health-care providers who transmit health information in electronic
form in connection with certain transactions.
At DHHS, the Office for Civil Rights (OCR) has oversight and
enforcement responsibilities for the Privacy Rule. Comprehensive guidance
and OCR answers to hundreds of questions are available at http://www.hhs.gov/ocr/hipaa
(4).
Impact on Public Health
Public health practice and research, including such traditional public
health activities as program operations, public health surveillance,
program evaluation, terrorism preparedness, outbreak investigations,
direct health services, and public health research, use PHI to identify,
monitor, and respond to disease, death, and disability among populations.
Public health authorities have a long history of protecting and preserving
the confidentiality of individually identifiable health information. They
also recognize the importance of protecting individual privacy and
respecting individual dignity to maintaining the quality and integrity of
health data. CDC and others have worked to consistently strengthen federal
and state public health information privacy practices and legal
protections (5).
DHHS recognized the importance of sharing PHI to accomplish essential
public health objectives and to meet certain other societal needs (e.g.,
administration of justice and law enforcement). Therefore, the Privacy
Rule expressly permits PHI to be shared for specified public health
purposes. For example, covered entities may disclose PHI, without
individual authorization, to a public health authority legally authorized
to collect or receive the information for the purpose of preventing or
controlling disease, injury, or disability [45 CFR § 164.512(b)] (Box
1). Further, the Privacy Rule permits covered entities to make
disclosures that are required by other laws, including laws that require
disclosures for public health purposes.
Thus, the Privacy Rule provides for the continued functioning of the
U.S public health system. Covered entities should become fully aware of
the scope of permissible disclosures for public health activities as well
as state and local reporting laws and regulations. Moreover, a public
health authority may also be a covered entity. For example, a public
health agency that operates a health clinic, providing essential
health-care services and performing covered transactions electronically,
is a covered entity.
This report provides guidance to public health authorities and their
authorized agents, researchers, and health-care providers in interpreting
the Privacy Rule as it affects public health. CDC recommends that public
health authorities share the information in this report with covered
health-care providers and other covered entities and work closely with
those entities to ensure implementation of the rule consistent with its
intent to protect privacy while permitting authorized public health
activities to continue.
|