HIPAA Changes in the HITECH Act of 2009: Definitions
House bill Sec. 4400
Senate bill Sec. 13400
Conference agreement Sec. 13400
This text is from the Conference Committee Report
Current Law
Under the Administrative Simplification provisions of the
Health Insurance Portability and Accountability Act of 1996
(HIPAA; P.L. 104-191), Congress set itself a three-year
deadline to enact health information privacy legislation. If,
as turned out to be the case, lawmakers were unable to pass
such legislation before the deadline, the HHS Secretary was
instructed to promulgate regulations containing standards to
protect the privacy of individually identifiable health
information. The HIPAA privacy rule (45 CFR Parts 160, 164)
established a set of patient rights, including the right of
access to one's medical information, and placed certain
limitations on when and how health plans and health care
providers may use and disclose such protected health
information (PHI). Generally, plans and providers may use and
disclose health information for the purpose of treatment,
payment, and other health care operations without the
individual's authorization and with few restrictions. In
certain other circumstances (e.g., disclosures to family
members and friends), the rule requires plans and providers
to give the individual the opportunity to object to the
disclosure. The rule also permits the use and disclosure of
health information without the individual's permission for
various specified activities (e.g., public health oversight,
law enforcement) that are not directly connected to the
treatment of the individual. For all uses and disclosures of
health information that are not otherwise required or
permitted by the rule, plans and providers must obtain a
patient's written authorization.
The HIPAA privacy rule also permits health plans and health
care providers--referred to as HIPAA covered entities--to
share health information with their business associates who
provide a wide variety of functions for them, including
legal, actuarial, accounting, data aggregation, management,
administrative, accreditation, and financial services. A
covered entity is permitted to disclose health information to
a business associate or to allow a business associate to
create or receive health information on its behalf, provided
the covered entity receives satisfactory assurance in the
form of a written contract that the business associate will
appropriately safeguard the information.
In addition to health information privacy standards,
HIPAA's Administrative Simplification provisions instructed
the Secretary to issue security standards to safeguard PHI in
electronic form against unauthorized access, use, and
disclosure. The security rule (45 CFR Parts 160, 164)
specifies a series of administrative, technical, and physical
security procedures for providers and plans to use to ensure
the confidentiality of electronic health information.
House Bill
The House bill defines the following key privacy and
security terms, in most cases by reference to definitions in
the HIPAA Administrative Simplification standards: breach,
business associate, covered entity, disclose, electronic
health record, electronic medical record, health care
operations, health care provider, health plan, National
Coordinator, payment, personal health record, protected
health information, Secretary, security, state, treatment,
use, and vendor of personal health records.
Senate Bill
Same provision.
Conference Agreement
The Conference report includes some technical modifications
to the definitions.
One set of such modifications is included in the definition
of “breach”. The Conference report includes a technical
change to clarify that some inadvertent disclosures can
constitute a breach under the meaning of this subtitle. The
conference report clarifies the definition to stipulate that
disclosures (as defined in 45 CFR 164.103) constitute a
breach, except as otherwise provided under the definition.
The definition provides that a disclosure where a person
would not reasonably be able to retain the information
disclosed is not a breach. Also not a breach is any
inadvertent disclosure from an individual who is otherwise
authorized to access protected health information at a
facility operated by a covered entity or business associate
to another similarly situated individual at same facility
provided that any such information received as a result of
such disclosure is not further acquired, accessed, used, or
disclosed without authorization by any person.
Another set of such modifications pertains to the
definition of Personal Health Records. Specifically, the
report clarifies that Personal Health Records are “managed,
shared, and controlled by or primarily for the individual.”
This technical change clarifies that PHRs include the kinds
of records managed by or for individuals, but does not
include the kinds of records managed by or primarily for
commercial enterprises, such as life insurance companies that
maintain such records for their own business purposes. By
extension, a life insurance company would not be considered a
PHR vendor under this subtitle. A second clarification in the
definition of PHR is the use of the term “PHR individual
identifiable health information” (as defined in section
13407(0(2)). In the House and Senate bills, the term
“individually identifiable health information” was used.
Use of that term would have required that, to be considered a
PHR, an electronic record would have to include information
that was “created or received by a health care provider,
health plan, employer, or health care clearinghouse.”
However, there is increasing use of electronic records that
contain personal health information that has not been created
or received by a health care provider, health plan, employer,
or health care clearinghouse. Use of the term “individually
identifiable health information” would have thus improperly
narrowed the scope of the term Personal Health Record under
this subtitle. Thus, the conference report included the
broader term, PHR individual identifiable health information,
so that the scope of the term Personal Health Record would
properly include electronic records of personal health
information, regardless of whether they have been “`created
or received by a health care provider, health plan, employer,
or health care clearinghouse.”