Search HIPAA






Related Services

Health Care
Insurance
Employment
 
   Health & Insurance

Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Definitions
House bill Sec. 4400
Senate bill Sec. 13400
Conference agreement Sec. 13400

This text is from the Conference Committee Report

Current Law

Under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA; P.L. 104-191), Congress set itself a three-year deadline to enact health information privacy legislation. If, as turned out to be the case, lawmakers were unable to pass such legislation before the deadline, the HHS Secretary was instructed to promulgate regulations containing standards to protect the privacy of individually identifiable health information. The HIPAA privacy rule (45 CFR Parts 160, 164) established a set of patient rights, including the right of access to one's medical information, and placed certain limitations on when and how health plans and health care providers may use and disclose such protected health information (PHI). Generally, plans and providers may use and disclose health information for the purpose of treatment, payment, and other health care operations without the individual's authorization and with few restrictions. In certain other circumstances (e.g., disclosures to family members and friends), the rule requires plans and providers to give the individual the opportunity to object to the disclosure. The rule also permits the use and disclosure of health information without the individual's permission for various specified activities (e.g., public health oversight, law enforcement) that are not directly connected to the treatment of the individual. For all uses and disclosures of health information that are not otherwise required or permitted by the rule, plans and providers must obtain a patient's written authorization.

The HIPAA privacy rule also permits health plans and health care providers--referred to as HIPAA covered entities--to share health information with their business associates who provide a wide variety of functions for them, including legal, actuarial, accounting, data aggregation, management, administrative, accreditation, and financial services. A covered entity is permitted to disclose health information to a business associate or to allow a business associate to create or receive health information on its behalf, provided the covered entity receives satisfactory assurance in the form of a written contract that the business associate will appropriately safeguard the information.

In addition to health information privacy standards, HIPAA's Administrative Simplification provisions instructed the Secretary to issue security standards to safeguard PHI in electronic form against unauthorized access, use, and disclosure. The security rule (45 CFR Parts 160, 164) specifies a series of administrative, technical, and physical security procedures for providers and plans to use to ensure the confidentiality of electronic health information.

House Bill

The House bill defines the following key privacy and security terms, in most cases by reference to definitions in the HIPAA Administrative Simplification standards: breach, business associate, covered entity, disclose, electronic health record, electronic medical record, health care operations, health care provider, health plan, National Coordinator, payment, personal health record, protected health information, Secretary, security, state, treatment, use, and vendor of personal health records.

Senate Bill

Same provision.

Conference Agreement

The Conference report includes some technical modifications to the definitions.

One set of such modifications is included in the definition of “breach”. The Conference report includes a technical change to clarify that some inadvertent disclosures can constitute a breach under the meaning of this subtitle. The conference report clarifies the definition to stipulate that disclosures (as defined in 45 CFR 164.103) constitute a breach, except as otherwise provided under the definition. The definition provides that a disclosure where a person would not reasonably be able to retain the information disclosed is not a breach. Also not a breach is any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility provided that any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

Another set of such modifications pertains to the definition of Personal Health Records. Specifically, the report clarifies that Personal Health Records are “managed, shared, and controlled by or primarily for the individual.” This technical change clarifies that PHRs include the kinds of records managed by or for individuals, but does not include the kinds of records managed by or primarily for commercial enterprises, such as life insurance companies that maintain such records for their own business purposes. By extension, a life insurance company would not be considered a PHR vendor under this subtitle. A second clarification in the definition of PHR is the use of the term “PHR individual identifiable health information” (as defined in section 13407(0(2)). In the House and Senate bills, the term “individually identifiable health information” was used. Use of that term would have required that, to be considered a PHR, an electronic record would have to include information that was “created or received by a health care provider, health plan, employer, or health care clearinghouse.” However, there is increasing use of electronic records that contain personal health information that has not been created or received by a health care provider, health plan, employer, or health care clearinghouse. Use of the term “individually identifiable health information” would have thus improperly narrowed the scope of the term Personal Health Record under this subtitle. Thus, the conference report included the broader term, PHR individual identifiable health information, so that the scope of the term Personal Health Record would properly include electronic records of personal health information, regardless of whether they have been “`created or received by a health care provider, health plan, employer, or health care clearinghouse.”

 

 

 
Subscribe to
HIPAA E-Alerts

Sign up to receive HIPAA Privacy & Security E-Alerts
Subscribe to HIPAA E-Alerts

Archived HIPAA E-Alerts
 

Highlights


Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.
 

 

Copyright 2005-2010, Bricker & Eckler LLP, all rights reserved.  Please read our Privacy Notice.
The words Bricker & Eckler and its logo are registered trademarks of Bricker & Eckler LLP. DISCLAIMER