Magazine article Information Today

HIPAA Gets New Privacy Rules

Magazine article Information Today

HIPAA Gets New Privacy Rules

Article excerpt

There's one famous quote that can certainly apply to Congress: "Laws are like sausages, it is better not to see them being made" (Otto von Bismarck).

The high school civics version of how a bill becomes law is less the rule than the exception. In that version, the bill is introduced in one chamber, voted on, then sent to the other chamber, voted on again, and any differences worked out in conference. Then there are the final votes, and finally, it's off to the president. Congress will often merge a variety of individual bills or proposals into a single large-scale proposal. It happened in 2000 when the Children's Internet Protection Act was passed as part of a wide-ranging spending bill.

The American Recovery and Reinvestment Act of 2009, the formal name of the economic stimulus package signed by President Barack Obama in February 2009, is another example. Among its 1,079 pages are individual proposals covering the deep seas (support for the National Oceanic and Atmospheric Administration) to outer space (support for NASA) and from low-tech (rural water programs) to high-tech (tax credits for plug-in electric cars).

Health Information Technology

Also included are initiatives to improve healthcare quality, safety, and efficiency through better health information technology. Central components of those initiatives are the new requirements to enhance the security and privacy of health information under the HIPAA(the Health Insurance Portability and Accountability Act). These requirements appear to strengthen security and privacy rights of healthcare consumers, but they may increase the compliance challenges of healthcare providers and the healthcare information industry.

HIPAA, which was originally enacted in 1996, was created primarily to make it easier for employees to switch jobs and health insurance plans without risk of being rejected for pre-existing conditions. As part of that goal, HIPAA established a series of standards for the management and exchange of electronic health records within the healthcare industry. HIPAA also established privacy standards for those records in response to concerns about the security of patients' health information.

Covered Entities

However, concerns were raised that HIPAA's privacy standards were complex and incomplete. For one thing, the standards only apply to certain "covered entities," including healthcare providers, insurance plans, and healthcare clearinghouses. But other companies that provide service and support to the healthcare industry are not covered.

HIPAA requires healthcare providers to obtain patients' authorization before disclosing their information to third parties for marketing purposes. However, healthcare providers do not need authorization to disclose information for marketing their own health-related services. HIPAA also allows disclosure of health-related information for a variety of social purposes such as public health activities, suspicion of abuse or neglect, health oversight activities, and for law enforcement purposes, along with a court order, subpoena, or "administrative request." HIPAA does not include a requirement to provide notice to consumers in the event of a data breach. Finally, lawsuits to enforce HIPAA requirements can only be brought by the secretary of the Department of Health and Human Services and not by individuals.

The economic stimulus package addresses a number of these issues as part of a $19 billion package of healthcare technology enhancements.

Business Associates Included

The package extends many of HIPAA's security and privacy provisions to "business associates" of covered entities. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.