HIPAA Changes in the HITECH Act of 2009: Restrictions on Certain Disclosures and Sales of Health Information
House bill Sec. 4405
Senate bill
Sec. 13405
Conference agreement Sec. 13405
This text is from the Conference Committee Report
Current Law
The privacy rule established several individual privacy
rights. First, it established a new federal legal right for
individuals to see and obtain a copy of their own PHI in the
form or format requested by the individual, if it is readily
producible in such form or format. If not, then the
information must be provided in hard copy or such form or
format as agreed to by the covered entity and the individual.
The covered entity can impose reasonable, cost-based fees for
providing the information. Second, the rule gives individuals
the right to amend or supplement their own PHI. The covered
entity must act on an individual's request for amendment
within 60 days of receiving the request. That deadline may be
extended up to 30 days. Third, individuals have the right to
request that a covered entity restrict the use and disclosure
of their PHI for the purposes of treatment, payment, or
health care operations. However, the covered entity is not
required to agree to such a restriction unless it has entered
into an agreement to restrict, in which case it must abide by
the agreement. Finally, individuals have the right to an
accounting of disclosures of their PHI by a covered entity
during the previous six years, with certain exceptions. For
example, a covered entity is not required to provide an
accounting of disclosures that have been made to carry out
treatment, payment, and health care operations.
The privacy rule incorporates a minimum necessary standard.
Whenever a covered entity uses or discloses PHI or requests
such information from another covered entity, it must make
reasonable efforts to limit the information to the minimum
necessary to accomplish the intended purpose of the use or
disclosure. There are a number of circumstances in which the
minimum necessary standard does not apply; for example,
disclosures to or requests by a health care provider for
treatment purposes. The rule also permits the disclosure of a
"limited data set" for certain specified purposes (e.g.,
research), pursuant to a data use agreement with the
recipient. A limited data set, while not meeting the rule's
definition of de-identified information (see below), has most
direct identifiers removed and is considered by HHS to pose a
low privacy risk.
House Bill
The House bill would give individuals the right to receive
an electronic copy of their PHI, if it is maintained in an
electronic health record. Any associated fee charged by the
covered entity could only cover its labor costs for providing
the electronic copy. The bill would require a health care
provider to honor a patient's request that the PHI regarding
a specific health care item or service not be disclosed to a
health plan for purposes of payment or health care
operations, if the patient paid out-of-pocket in full for
that item or service. The House bill also would give an
individual the right to receive an accounting of PHI
disclosures made by covered entities or their business
associates for treatment, payment, and health care operations
during the previous three years, if the disclosures were
through an electronic health record. Within 18 months of
adopting standards on accounting of disclosures (as required
under PHSA Section 3002, as added by Section 4101 of this
Act), the Secretary would be required to issue regulations on
what information shall be collected about each disclosure.
For current users of electronic health records, the
accounting requirements would apply to disclosures made on or
after January 1, 2014. For covered entities yet to acquire
electronic health records, the accounting requirements would
apply to disclosures on or after January 1, 2011, or the date
of electronic health record acquisition, whichever is later.
The House bill would require covered entities to limit the
use, disclosure, or, request of PHI, to the extent
practicable, to a limited data set or, if needed, to the
minimum necessary to accomplish the intended purpose of such
use, disclosure, or request. This requirement would sunset at
such a time as the Secretary issues guidance on what
constitutes minimum necessary. The Secretary would have 18
months to issue such guidance. In addition, the bill would
clarify that the entity disclosing the PHI (as opposed to the
requester) makes the minimum necessary determination. The
HIPAA privacy rule's exceptions to the minimum necessary
standard would continue to apply.
Within 18 months of enactment, the Secretary would be
required to issue regulations to eliminate from the
definition of health care operations those activities that
can reasonably and efficiently be conducted with de-
identified information or that should require authorization
for the use or disclosure of PHI.
The House bill would prohibit the sale of PHI by a covered
entity or business associate without patient authorization
except in certain specified circumstances, such as to recoup
the costs of preparing and transmitting data for public
health or research activities (as defined in the HIPAA
privacy rule), or to provide an individual with a copy of his
or her PHI. Within 18 months of enactment, the Secretary
would be required to issue regulations governing the sale of
PHI.
Finally, the House bill specifies that none of its
provisions would constitute a waiver of any health privacy
privilege otherwise applicable to an individual.
Senate Bill
The Senate bill includes all the same provisions as the
House bill, other than the final provision protecting an
individual's health privacy privileges, but with the
following additional language: (1) in developing guidance on
what constitutes minimum necessary, the Secretary would be
required to take into consideration the information necessary
to improve patient outcomes and to manage chronic disease;
(2) in developing regulations on the accounting of
disclosures through an EHR, the Secretary would be required
to take into account an individual's interest in learning
when the PHI was disclosed and to whom, as well as the cost
of accounting for such disclosures; (3) regarding the
definition of health care operations, the Secretary would be
required to review and evaluate the definition and, to the
extent necessary, eliminate those activities that could
reasonably and efficiently be conducted using de-identified
information or that should require authorization; (4) the
Secretary could not require the use of de-identified
information or require authorization for the use and
disclosure of information for activities within a covered
entity that are described in paragraph one of the definition
of health care operations; and (6) in developing regulation
governing the sale of PHI, the Secretary would be required to
evaluate the impact of charging an amount to cover the costs
of preparing and transmitting data for public health or
research activities.
Conference Agreement
The conference agreement maintains most of these provisions
but makes small modifications. The conference agreement takes
the Senate changes on issuing guidance on what constitutes
minimum necessary and what factors have to be considered. The
conference agreement requires an accounting of disclosures
but has a longer timeframe for allowing providers to come
into compliance with this requirement than the House bill and
shorter than the Senate bill. The requirement to account for
disclosures under this section is prospective. For example, a
covered entity that acquires an electronic health record as
of June 30, 2012 would be required to account for disclosures
made through that electronic health record as of June 30,
2012 and forward. The covered entity would be required to
retain that accounting for a period of three years. Thus, if
an individual requested an accounting for disclosures on June
30, 2015, the covered entity would be required to provide
that accounting for the period of June 30, 2012 to June 30,
2015, with respect to such individual, consistent with the
requirements of Section 13405. However, if an individual
requested an accounting of disclosures on June 30, 2013, the
covered entity would be required to provide such accounting
only for the period of June 30, 2012 to June 30, 2013.
Section 13405(c)(4) of the Senate-passed bill included a
provision allowing the imposition of a reasonable fee for the
accounting for disclosures required under this Section.
However, this statutory provision was duplicative of an
existing provision under 45 CFR 164.528(c)(2) which already
allows for the imposition of a reasonable fee for providing
such accounting, so the provision from the Senate passed bill
was struck.
The conference agreement strikes the provision requiring
the Secretary to review the definition of health care
operations. The conference agreement permits the sale of
protected health information in cases of research but only
limited to costs of preparing and transmitting data. It also
permits the sale of protected health information for public
health activities the Secretary is required to study and
determine whether costs
should be limited. The conference agreement allows an
individual to request their health information in an
electronic format if it is maintained in such a format for a
reasonable cost based fee as it was in the House and Senate
bills. The conference agreement permits the individual to
designate that the information be sent to another entity or
person. Finally, the conference agreement specifies that none
of its provisions would constitute a waiver of any health
privacy privilege otherwise applicable to an individual, but
moves this provision to section 13421 Relationship to Other
Laws.