Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format
House bill Sec. 4405
Senate bill Sec. 13405
Conference agreement Sec. 13405

This text is from the Conference Committee Report

Current Law

The privacy rule established several individual privacy rights. First, it established a new federal legal right for individuals to see and obtain a copy of their own PHI in the form or format requested by the individual, if it is readily producible in such form or format. If not, then the information must be provided in hard copy or such form or format as agreed to by the covered entity and the individual. The covered entity can impose reasonable, cost-based fees for providing the information. Second, the rule gives individuals the right to amend or supplement their own PHI. The covered entity must act on an individual's request for amendment within 60 days of receiving the request. That deadline may be extended up to 30 days. Third, individuals have the right to request that a covered entity restrict the use and disclosure of their PHI for the purposes of treatment, payment, or health care operations. However, the covered entity is not required to agree to such a restriction unless it has entered into an agreement to restrict, in which case it must abide by the agreement. Finally, individuals have the right to an accounting of disclosures of their PHI by a covered entity during the previous six years, with certain exceptions. For example, a covered entity is not required to provide an accounting of disclosures that have been made to carry out treatment, payment, and health care operations.

The privacy rule incorporates a minimum necessary standard. Whenever a covered entity uses or discloses PHI or requests such information from another covered entity, it must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose of the use or disclosure. There are a number of circumstances in which the minimum necessary standard does not apply; for example, disclosures to or requests by a health care provider for treatment purposes. The rule also permits the disclosure of a "limited data set" for certain specified purposes (e.g., research), pursuant to a data use agreement with the recipient. A limited data set, while not meeting the rule's definition of de-identified information (see below), has most direct identifiers removed and is considered by HHS to pose a low privacy risk.

House Bill

The House bill would give individuals the right to receive an electronic copy of their PHI, if it is maintained in an electronic health record. Any associated fee charged by the covered entity could only cover its labor costs for providing the electronic copy. The bill would require a health care provider to honor a patient's request that the PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations, if the patient paid out-of-pocket in full for that item or service. The House bill also would give an individual the right to receive an accounting of PHI disclosures made by covered entities or their business associates for treatment, payment, and health care operations during the previous three years, if the disclosures were through an electronic health record. Within 18 months of adopting standards on accounting of disclosures (as required under PHSA Section 3002, as added by Section 4101 of this Act), the Secretary would be required to issue regulations on what information shall be collected about each disclosure. For current users of electronic health records, the accounting requirements would apply to disclosures made on or after January 1, 2014. For covered entities yet to acquire electronic health records, the accounting requirements would apply to disclosures on or after January 1, 2011, or the date of electronic health record acquisition, whichever is later.

The House bill would require covered entities to limit the use, disclosure, or, request of PHI, to the extent practicable, to a limited data set or, if needed, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. This requirement would sunset at such a time as the Secretary issues guidance on what constitutes minimum necessary. The Secretary would have 18 months to issue such guidance. In addition, the bill would clarify that the entity disclosing the PHI (as opposed to the requester) makes the minimum necessary determination. The HIPAA privacy rule's exceptions to the minimum necessary standard would continue to apply.

Within 18 months of enactment, the Secretary would be required to issue regulations to eliminate from the definition of health care operations those activities that can reasonably and efficiently be conducted with de- identified information or that should require authorization for the use or disclosure of PHI.

The House bill would prohibit the sale of PHI by a covered entity or business associate without patient authorization except in certain specified circumstances, such as to recoup the costs of preparing and transmitting data for public health or research activities (as defined in the HIPAA privacy rule), or to provide an individual with a copy of his or her PHI. Within 18 months of enactment, the Secretary would be required to issue regulations governing the sale of PHI.

Finally, the House bill specifies that none of its provisions would constitute a waiver of any health privacy privilege otherwise applicable to an individual.

Senate Bill

The Senate bill includes all the same provisions as the House bill, other than the final provision protecting an individual's health privacy privileges, but with the following additional language: (1) in developing guidance on what constitutes minimum necessary, the Secretary would be required to take into consideration the information necessary to improve patient outcomes and to manage chronic disease; (2) in developing regulations on the accounting of disclosures through an EHR, the Secretary would be required to take into account an individual's interest in learning when the PHI was disclosed and to whom, as well as the cost of accounting for such disclosures; (3) regarding the definition of health care operations, the Secretary would be required to review and evaluate the definition and, to the extent necessary, eliminate those activities that could reasonably and efficiently be conducted using de-identified information or that should require authorization; (4) the Secretary could not require the use of de-identified information or require authorization for the use and disclosure of information for activities within a covered entity that are described in paragraph one of the definition of health care operations; and (6) in developing regulation governing the sale of PHI, the Secretary would be required to evaluate the impact of charging an amount to cover the costs of preparing and transmitting data for public health or research activities.

Conference Agreement

The conference agreement maintains most of these provisions but makes small modifications. The conference agreement takes the Senate changes on issuing guidance on what constitutes minimum necessary and what factors have to be considered. The conference agreement requires an accounting of disclosures but has a longer timeframe for allowing providers to come into compliance with this requirement than the House bill and shorter than the Senate bill. The requirement to account for disclosures under this section is prospective. For example, a covered entity that acquires an electronic health record as of June 30, 2012 would be required to account for disclosures made through that electronic health record as of June 30, 2012 and forward. The covered entity would be required to retain that accounting for a period of three years. Thus, if an individual requested an accounting for disclosures on June 30, 2015, the covered entity would be required to provide that accounting for the period of June 30, 2012 to June 30, 2015, with respect to such individual, consistent with the requirements of Section 13405. However, if an individual requested an accounting of disclosures on June 30, 2013, the covered entity would be required to provide such accounting only for the period of June 30, 2012 to June 30, 2013.

Section 13405(c)(4) of the Senate-passed bill included a provision allowing the imposition of a reasonable fee for the accounting for disclosures required under this Section. However, this statutory provision was duplicative of an existing provision under 45 CFR 164.528(c)(2) which already allows for the imposition of a reasonable fee for providing such accounting, so the provision from the Senate passed bill was struck.

The conference agreement strikes the provision requiring the Secretary to review the definition of health care operations. The conference agreement permits the sale of protected health information in cases of research but only limited to costs of preparing and transmitting data. It also permits the sale of protected health information for public health activities the Secretary is required to study and determine whether costs should be limited. The conference agreement allows an individual to request their health information in an electronic format if it is maintained in such a format for a reasonable cost based fee as it was in the House and Senate bills. The conference agreement permits the individual to designate that the information be sent to another entity or person. Finally, the conference agreement specifies that none of its provisions would constitute a waiver of any health privacy privilege otherwise applicable to an individual, but moves this provision to section 13421 Relationship to Other Laws.