The U.S. Department of Health and Human Services (HHS) published a final health privacy regulation on December 28, 2000, pursuant to authority granted by the Health Insurance Portability and Accountability Act (HIPAA). In general, the regulation puts limits on how health information can be used and disclosed, and gives people important new rights, including the right to inspect, copy, and amend their medical records.
The regulation covers most, but not all, health care providers. The health care providers that may be covered include health care professionals, hospitals, clinics, pharmacists, and other places where people obtain health care services. To be covered, however, a health care provider must transmit claims-type information electronically (via computer). For example, if a doctor submits claims for payment electronically to health insurance companies, that doctor is covered. The health information that this health care provider creates or receives is then protected by the regulation no matter what form the information takes; that is paper records, electronic records, oral communications, x-rays, etc., are all covered. The regulation also covers health plans, health insurance companies, and managed care plans, including HMOs. These providers and plans are referred to in the regulation generally as ''covered entities.''1
The regulation is an important breakthrough in the effort to protect the privacy of health information. It will go a long way toward promoting confidence in the privacy of medical information and improving the quality of care. Although we have concerns about some aspects of the regulation, on the whole, it strikes the right balance between protecting privacy and respecting legitimate uses and disclosures by covered entities.2 The most important drawback is that, due to constraints imposed by the authorizing legislation, the regulation does not create a federal right of action for private individuals to sue to enforce it. Enforcement is thus left to the Secretary of HHS.
This regulation is scheduled to take effect on April 14, 2001, but entities that are covered by the regulation have until April of 2003 to come into compliance. Small health plans have an additional year. Unfortunately, as one of the Bush Administration's first acts, the new HHS Secretary, Tommy Thompson, responded to industry pressure and moved to reopen the new regulation to public comments. We fear that by doing so, Thompson has signaled his intent to delay or weaken the substantial protections offered by the regulation. (Take Action! Click here to let Thompson know that the public demands strong privacy protection.)
This document discusses the import of the regulation in five areas: the protection of minors' health information; the protection of health information concerning sensitive health services; the protection of information concerning victims of family violence; the protection against inappropriate disclosures to, and uses by, employers; and the protection against reports of drug use by pregnant women to law enforcement officials.
MINORS' RIGHTS
As numerous studies have found, access to confidential services is one of the prime determinants of whether an adolescent seeks and obtains timely health care related to sensitive topics such as sexuality and substance abuse. For example, studies show that somewhere between eight and thirty-one percent of teens delay or entirely forego health care because of concerns that their private information will be revealed to parents or others.3 In addition, research confirms that teens who believe that their health care provider will maintain their confidentiality are more likely to discuss sensitive health topics, such as sexually transmitted diseases, pregnancy prevention, and substance abuse, with their provider.4 In recognition of these facts and the critical need to encourage minors to get the health care they need, the overwhelming majority of states have enacted laws that allow minors to consent on their own to specific services such as prenatal care, family planning services, testing and treatment for sexually transmitted diseases, and treatment for alcohol and/or drug abuse.5 In addition, many states have case law that guarantees ''mature minors'' the right to consent to health care generally.
The new regulation by and large preserves existing practices with respect to minors, and, in so doing, strikes an appropriate balance between the need for parents to have access to their children's health information and the need for minors to keep some information private. Thus, under the new regulation, parents will generally have access to and the right to control their children's health information.6 Section 164.502(g)(1), (3). This general rule, however, is subject to three important exceptions that serve to protect minors' confidentiality.
First, the minor, and not the parent, will have the right of access to and control over her health information concerning health services that she may lawfully obtain without parental consent. Section 164.502(g)(3)(i)-(ii). Because most states allow minors to obtain testing and treatment for sexually transmitted diseases, pregnancy testing, prenatal care, and contraceptives without their parents' consent, under the regulation minors will also control their health information relating to these services.
Likewise, the treatment of information related to abortion follows the right to consent to the service. In states that have either no law requiring parental involvement in minors' abortions or that require parental notice (as opposed to parental consent), minors who consent to an abortion will control the relevant health information. In states that require that minors obtain either a parent's consent or a judicial waiver, minors who obtain the waiver will also control the health information relevant to their abortions. When, however, a minor complies with a parental consent law by obtaining her parent's consent, the parent who consents will have access to and control over the information related to the abortion.
A minor's voluntary involvement of a parent in seeking a health service does not change her right to control the related information. Thus, for example, if a sixteen-year-old goes with her mother to a gynecologist for an examination and to discuss and obtain contraceptives, the teenager controls the health information relating to the contraceptive services so long as she was legally entitled to obtain such services on her own, and regardless of whether her mother also consented to such services.
Second, the regulation preserves and respects the existing practice of allowing parents, their children, and health care providers to enter into agreements enabling the health care professional to provide confidential care to the minor. Take, for example, a minor who visits the pediatrician with a parent for the purpose of a routine annual physical examination. Under protocols developed by the American Academy of Pediatrics, the pediatrician should raise with adolescent patients during their annual exams questions about risk-taking behavior such as drug and alcohol use and sexual activity. Typically, the parent provides the consent for the annual examination, but the pediatrician (again, under protocols developed by the American Academy of Pediatrics) explains to both the parent and the minor that the examination should be private and that the pediatrician will keep the minor's confidences. When and to the extent that the parent assents to this agreement, a private and confidential examination follows. The regulation does not disturb this practice, and, indeed, respects its importance. Under the regulation, where such agreements exist, the minor, and not the parent, will have the right of access to and control over the health information covered by the agreement. Section 164.502(g)(3)(iii).7
Finally, the regulation provides important protections for circumstances in which allowing a parent access to a minor's health information will endanger the minor. For a discussion of these protections, see the discussion of family violence, below.
In carving out these exceptions to the general rule of giving parents access to and control over their children's health information, HHS adopted much of the approach to protecting minors' confidentiality that we suggested in our comments, and we are generally pleased with the results. The regulation, however, contains one loophole that has the potential to vitiate these protections. This loophole results from the way the regulation deals with state laws that provide parents access to their children's health information.
The regulation's basic approach to dealing with conflicting state laws is a sound one, mandated by the authorizing legislation, HIPAA. In general, state laws that conflict with provisions of the regulation are preempted (meaning the regulation controls) unless the state law is more protective of an individual's privacy. Section 160.203(b).
This general rule does not apply, however, to state laws that authorize or prohibit disclosure of health information to a parent. Section 160.202. Such laws remain in effect even when they authorize disclosure to a minor's parent in circumstances expressly disallowed under the regulation. For example, despite the regulation's provision entitling minors to control their health information related to services they lawfully consent to on their own, if a state has a law granting parents broad access to their children's medical records, the state law, and not the regulation, will govern. We strongly urged HHS to fix this problem -- as it both undermines the important protections provided to minors by the regulation and conflicts with HIPAA -- but it declined to do so.8
Although contrary state laws pertaining to disclosures to parents generally will not be preempted, we encourage advocates and attorneys to argue that such state laws should not control in situations where the federal regulation expressly provides for exceptions to prevent harm or injury to the minor. These provisions are discussed below in the section on family violence. It should be noted that one of these provisions, which authorizes a covered entity to refuse to recognize abusers as ''personal representatives,'' expressly states that it applies ''notwithstanding'' state laws to the contrary. Section 164.502(g)(5).
RIGHT TO ADDITIONAL RESTRICTIONS ON DISCLOSURES OF PROTECTED INFORMATION
The regulation provides individuals two rights to restrict the way in which health care providers and health plans communicate with them. These rights are important both for victims of domestic violence and for individuals who wish to obtain sensitive health care services -- including health care relating to sexuality, mental health, and substance abuse -- without alerting others in their households.
First, the regulation requires health care providers to honor reasonable requests by individuals to alter the manner in which the provider communicates with them. Section 164.522(b)(1)(i). For example, a teenager seeking testing for sexually transmitted diseases may request that the results of the test (or even the fact of the test) not be left on his or her home answering machine. Similarly, a victim of domestic violence who fears she is pregnant and makes an appointment for pregnancy testing and counseling may request that the provider not call her at home to remind her of the appointment. Providers are not permitted to require an explanation from the individual as a condition of accommodating the request. The regulation does allow providers to require that the individual specify an alternative address or method of contact and make payment arrangements.
Second, the regulation requires health plans to honor reasonable requests to receive communications of protected health information by alternative means or at alternative locations if the individual clearly states that the disclosure of all or part of the information could endanger the individual. Section 164.522(b)(1)(ii). Thus, for example, a woman who is the victim of domestic violence may request that her explanation of benefits form (EOB), showing that she received treatment for injuries caused by her batterer, be sent to her workplace instead of her home. Similarly, a teenager who fears that her parents will beat her if they learn that she got a pregnancy test at a family planning clinic may request that the EOB be sent to a friend's house.
The right to restrict communications from a health plan, while important and beneficial, does not go as far as we would like. As an initial matter, the right to restrict communications from the health plan only applies if the individual would be endangered by a disclosure. Thus, minors (and others) who do not fear that they will be endangered by a disclosure, but who nonetheless have a real need for privacy, have no right under this provision. Moreover, the regulation may provide insufficient protection even for those who do fear violence because it requires them to articulate this fear (something many victims of family violence are unwilling to do), and it even allows health plans to require a written statement that disclosure of all or part of the information could endanger the individual.
In addition to these two provisions giving individuals the right to restrict certain communications, the regulation explicitly gives individuals the right to request restrictions on other uses and disclosures of protected health information. Such requests, however, need not be granted. If they are agreed to by the covered entity, the restrictions must be honored except in emergency and other specified circumstances. Section 164.522(a).
VICTIMS OF FAMILY VIOLENCE
The final regulation includes some significant protections for victims of family violence. In addition, it poses new restrictions on when covered entities may report domestic violence and other types of abuse and neglect (other than child abuse and neglect). State laws regarding reporting of child abuse and neglect, on the other hand, are almost entirely unaffected by the regulation.
Personal Representatives
The regulation classifies as a ''personal representative'' anyone who, under applicable law, has authority to act on behalf of another in making decisions related to health care. Personal representatives include, among others, people making health care decisions for others under legal instruments such as health care proxies or powers of attorney, parents acting on behalf of their unemancipated minor children, and medical guardians. Except in certain limited circumstances, discussed below and in the minors' rights section above, personal representatives exercise all the rights of the individual under the regulation, including the rights of access to and control of protected health information relevant to such personal representation. Section 164.502(g)(1)-(3).
While transferring these rights from an individual to a personal representative is necessary and appropriate in some instances, it can in other circumstances put the individual at serious risk of harm. The regulation provides two avenues for avoiding such harm.
As an initial matter, the regulation permits covered entities to refuse to treat a person as an individual's personal representative (and therefore to deny the person access to and control over the individual's health information) if the entity reasonably believes that (1) the individual has been or may be subjected to abuse or neglect by the would-be personal representative; or (2) treating the person as a personal representative may endanger the individual. In either case, the covered entity must conclude, in the exercise of professional judgment, that it would not be in the individual's best interest to recognize the personal representative. Section 164.502(g)(5).
Another section of the regulation provides additional protection for situations in which the covered entity believes generally that it is safe to treat a person as the individual's personal representative (and thus to allow them access to and control over the individual's health information), but feels that disclosure of certain information is reasonably likely to cause substantial harm to the individual or another person. Section 164.524(a)(3)(iii). Take, for example, the situation in which a mother brings her daughter to the pediatrician. In the course of the examination, the pediatrician discovers that the daughter is being sexually abused by her father. Her father has told her that if she tells anyone he will kill her. The daughter feels strongly that her mother will not believe her and fears that her mother will tell her father what she has told the pediatrician. In these circumstances, the pediatrician is entitled to deny the mother's request for access to the record of her daughter's visit, even though the pediatrician generally treats the mother as the daughter's personal representative. This provision, however, is of limited practical utility because it requires that the covered entity provide the parent with a written statement within 30 days explaining the reason for the denial. Section 164.524(b)(2)(i)(B); 164.524(d)(2)(i). Such explanation would put the daughter at risk not only of her mother's learning of the allegation and telling her father, but also of her father's receiving the explanation directly if it is sent to the home.
Reporting of Domestic Violence and Other Abuse and Neglect (Other Than Child Abuse and Neglect)
Under the regulation, covered entities may report domestic violence or other abuse or neglect (other than child abuse or neglect) to a government agency authorized to receive such reports (including law enforcement) only in three circumstances. Section 164.512(c)(1).
- First, a covered entity may make such a report if the person believed to be the victim of the abuse or neglect agrees to the report.
- Second, a covered entity may make such a report if it is required by law. In such circumstances, the disclosure must comply with and be limited to the relevant requirements of such law.
- Third, a covered entity may make such a report if it is expressly authorized by statute or regulation and one of the following two conditions is met:
- the covered entity believes the disclosure is necessary to prevent serious harm to the individual or other potential victim, or
- if the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the information for which disclosure is sought is not intended to be used against the individual and that immediate law enforcement activity would be materially hampered by waiting for the disclosure until the individual is able to agree.
Notifying the Victim that a Report Has Been or Will Be Made
In most circumstances, a covered entity that has reported, or plans to report, a victim of domestic violence or other abuse or neglect (again, other than a victim of child abuse or neglect) must promptly inform the individual that a report has been or will be made. There are only two exceptions to this rule. First, the covered entity need not inform the individual if, in the exercise of professional judgment, it believes that doing so would place the individual at risk of serious harm. The second exception applies only where informing the individual would mean informing that person's personal representative -- for example, where a guardian has been appointed to make decisions for an elderly person or someone who is otherwise not competent to make health care decisions. In those circumstances, the covered entity need not inform the personal representative of the report if the entity reasonably believes that the personal representative is responsible for the abuse or neglect and that informing the personal representative would not be in the individual's best interest. Section 164.512(c)(2).
Reporting of Child Abuse and Neglect
The regulation's restrictions on reporting other types of abuse and neglect do not apply to the reporting of child abuse. Such reporting continues to be governed by state law. Under the regulation, covered entities may disclose private health information to a public health authority or other government authority authorized by law to receive reports of child abuse or neglect. Section 164.512(b)(1)(ii). The regulation imposes no obligation on entities who report child abuse or neglect to advise the child of the report -- even when the child is an older teenager. Nor is there any requirement that the government agency provide assurances that the disclosed information will not be used against the child.
Right To Restrict Health Care Facilities' Directory Information
Health care facilities, including hospitals, often maintain directories of their patients that are used in part to provide information regarding a patient's condition and location to family and friends. Such directories can pose a real threat to victims of domestic violence by enabling batterers to learn the whereabouts of their victims. The regulation provides important protections that should help prevent this problem.
Under the regulation, health care providers may generally tell individuals who ask for a patient by name (1) the location of the individual in the health care facility; and (2) generalized facts concerning the patient's condition in a manner that does not communicate specific medical information about the patient. Providers are required, however, to provide the patient with the opportunity to restrict or prohibit some or all of these disclosures. Section 164.510(a)(1)-(2). The regulation also provides important protections for those who are incapable of objecting due to an emergency or incapacity. In those situations, the health care provider may include some or all of the patient's information in the directory only after considering whether inclusion would be (1) consistent with any prior expressed preference of the patient (if any is known to the provider); and (2) in the patient's best interest. Section 164.510(a)(3).
Right To Restrict Disclosures to Family and Friends
Covered entities often disclose private health information to patients' family members and close friends for a variety of reasons. Sometimes such information is disclosed because the family member or friend is involved with caring for the individual or paying for the individual's health care. Other times a covered entity may need to disclose protected health information (i.e., that an individual has suffered a heart attack and is in the emergency room) for the purpose of notifying (or assisting in the notification of) a family member, personal representative, or other person responsible for the individual's care. Such disclosures continue to be permitted under the regulation, but are subject to restrictions that provide individuals with greater control over who has access to this information. Section 164.510(b)(1)-(3).
The regulation sets forth two different standards for determining whether a disclosure to a friend or family member is permissible. The first standard applies when the individual is present for, or is otherwise available prior to, a disclosure and has the capacity to make health care decisions. In those circumstances, a covered entity may only disclose protected health information to a family member, personal representative, or friend, if one of the following three conditions is met:
- The covered entity obtains the individual's agreement;
- The covered entity provides the individual with the opportunity to object to the disclosure, and the individual does not object; or
- The covered entity reasonably infers from the circumstances that the individual does not object to the disclosure. The preamble to the regulation gives as examples of circumstances in which it is reasonable to infer that the individual has no objection: (1) a patient who brings a spouse into a doctor's office when treatment is being discussed; and (2) a patient who brings a friend or colleague to the emergency room for treatment.
If, on the other hand, the individual is not present, or the opportunity to agree or object to the disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity must use its professional judgment to determine if information should be disclosed. If, in such circumstances, the covered entity believes that it is in the individual's best interest, the entity may disclose information that is directly relevant to the person's involvement with the individual's health care. The regulation specifically provides that covered entities may use professional judgment and their experience with common practice to make reasonable inferences regarding the individual's best interest in allowing a person to act on behalf of the individual in picking up prescriptions, medical supplies, x-rays, or other similar forms of protected health information.
DISCLOSURES TO, AND USES OF INFORMATION BY, EMPLOYERS
The regulation covers health plans offered by employers, but it does not directly cover employers themselves. This failure to cover employers adds complexity to the regulation and puts people at risk for privacy breaches. The regulation does not cover employers directly because HHS did not have authority from Congress to do so.
Health plans that are sponsored by employers are covered if:
- The plan has 50 or more participants; OR
- Regardless of the number of participants, the plan is administered by an entity other than the employer that sponsors the plan.
As a result, most health plans offered through employers will be covered. Most employers that sponsor a health plan contract with an insurance company or managed care plan to administer the plan. In such a case, the group health plan sponsored by the employer, as well as the insurance company or managed care plan, are both covered by the regulation.
The regulation has special provisions that apply to group health plans that are sponsored by employers. The combined effect of these special provisions is that protected health information can be shared with the employer only in limited circumstances and only when certain requirements are met. Since the employer sponsors the health plan, it has a legitimate need for some health information -- how much depends on the way the plan is structured. In general, the regulation does a good job of reconciling the employer's legitimate need for access to some health information with the need to ensure that protected health information is not used for employment-related purposes or for purposes unrelated to the management of the group health plan. Section 164.504(f).
Most employment-based group health plans will be structured so as to fall within certain provisions of the regulation that give employers access to the following information
Related Issues
Stay informed
Sign up to be the first to hear about how to take action.
By completing this form, I agree to receive occasional emails per the terms of the ACLU's privacy statement.
By completing this form, I agree to receive occasional emails per the terms of the ACLU's privacy statement.