Obama-Biden 2008, “Barack Obama and Joe Biden's Plan to Lower Health Care Costs and Ensure Affordable, Accessible Health Coverage for All,” available at <http://www.barackobama.com/pdf/issues/HealthCareFullPlan.pdf> (last visited June 24, 2009).
The American Recovery and Reinvestment Act of 2009, Public Law No. 111-5.
4.
Connecting for Health, Markle Foundation, Survey Finds Americans Want Electronic Personal Health Information to Improve Own Health Care, survey conducted by Lake Research Partners and American Viewpoint in November 2006 for the Markle Foundation's conference, Connecting Americans to Their Health Care: Empowered Consumers, Personal Health Records and Emerging Technologies, available at <http://www.markle.org/downloadable_assets/research_doc_120706.pdf> (last visited June 24, 2009).
5.
There is a difference between “privacy” and “security.” Although there are no universally accepted definitions of those terms, in general privacy refers to policies and practices that govern the access, use, and disclosure of personal health information, and security refers to the technological tools that are used to implement those policies.
6.
See GoldmanJ., “Protecting Privacy to Improve Health Care,”Health Affairs, 10 no. 6 (1998): 47–60, at 49; GoldmanJ.HudsonZ., California Healthcare Foundation, Promoting Health/Protecting Privacy: A Primer, January 1999, available at <http://www.chcf.org/topics/view.cfm?itemID=12502> (last visited June 24, 2009).
BishopL. S., California Healthcare Foundation, National Consumer Health Privacy Survey 2005, November 2005, available at <http://www.chcf.org/topics/view.cfm?itemID=115694> (last visited June 24, 2009).
9.
This paper uses the term “personal health information” to refer generally to an individual's identifiable health information, and uses the term “protected health information” to refer to information expressly protected by HIPAA.
10.
Covered entities are health plans, health care clearinghouses, and most health care providers who submit health care claims electronically (specifically, those who transmit health information in electronic form for those transactions for which the Secretary has adopted standards (i.e., transaction code sets). See 45 C.F.R. § 160.102(a) (2007).
11.
Protected health information is individually identifiable health information that includes demographic information and “that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; and that identifies the individual” or “there is a reasonable basis to believe the information can be used to identify the individual.” See 45 C.F.R. § 160.201 (2007) for the precise definition.
12.
Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. See 45 C.F.R. § 164.501 (2007).
13.
Payment includes activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and to furnish or obtain reimbursement for health care delivered to a patient. See 45 C.F.R. § 164.501 (2007).
14.
Health care operations include the following: (1) conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination; (2) reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims; (4) conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; (5) business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and (6) business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating deidentified health information or a limited data set, and fundraising for the benefit of the covered entity. See Appendix A and 45 C.F.R. § 164.501 (2007).
PollitzK., Georgetown University Health Policy Institute, the Genetics and Public Policy Center at Johns Hopkins University, Summaries of the Genetic Information Nondiscrimination Act of 2008 (GINA), Public Law 110–28, Title 1: Health Insurance available at <http://www.dnapolicy.org/resources/GINATitle-1summary.pdf>; Public law 110–233, Title II: Employment, available at <http://www.dnapolicy.org/resources/GINATitle-IIsummary.pdf> (last visited February 3, 2009).
17.
FERPA applies to health and other records in educational settings; part 2 applies to federally funded substance abuse treatment facilities; and the Privacy Act applies to federal facilities.
18.
See 18 U.S.C. §§ 2702 (a)(1)-(3) (2007).
19.
See 18 U.S.C. § 2701 (c)(1) (2007); see also 18 U.S.C. § 2702 (a) (2)(B) (2007).
20.
See DimitropoulosL. L., Agency for Healthcare Research and Quality, Privacy and Security Solutions for Interoperable Health Information Exchange: Assessment of Variations and Analysis of Solutions Report, July 2007, 3-8-3-9, available at <http://healthit.ahrq.gov/portal/server.pt/gateway/PTARGS_0_1248_661882_0_0_18/AVAS.pdf> (last visited June 24, 2009) [hereinafter cited as “Privacy and Security Solutions”]. For an “Overzealous” interpretation of HIPAA, see GrossJ., “Keeping Patients' Details Private, Even from Kin,”New York Times, July 3, 2007, available at <http://www.nytimes.com/2007/07/03/health/policy/03hipaa.html7_r=1> (last visited June 24, 2009); see also HouserS. H., “Assessing the Effects of the HIPAA Privacy Rule on the Release of Patient Information by Healthcare Facilities,”Perspectives in Health Information Management, 4 no. 1 (spring 2007), available at <http://www.pubmedcentral.nih.gov/arti-clerender.fcgi?artid=2082070&tool=pmcentrez> (last visited June 24, 2009) [hereinafter cited as “HIPAA Privacy Rule”] (which recommended additional clarification of HIPAA regulations, standardized instructions, and extensive training of healthcare workers).
21.
Id. (HIPAA Privacy Rule).
22.
See Paasche-OrlowM. K., “Notices of Privacy Practices: A Survey of the Health Insurance Portability and Accountability Act of 1996 Documents Presented to Patients at U.S. Hospitals,”Medical Care, 43 no. 6 (June 2005): 558–564; HochhauserM., “Why Patients Won't Understand Their HIPAA Privacy Notices” Privacy Rights Clearinghouse (April 10, 2003), available at <http://www.privacyrights.org/ar/HIPAA-Readability.htm> (last visited June 24, 2009); PollioM. C., “The Inadequacy of HIPAA's Privacy Rule: The Plain Language Notice of Privacy Practices and Patient Understanding,”New York University Annual Survey of American Law60 (2005): 579–620, at 593.
23.
A health care clearinghouse is “a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” See Social Security Act § 1171(2), 42. U.S.C. § 1320d (2009).
24.
45 C.F.R. § 165.504(e)(2) (2007).
25.
Id.
26.
Those who meet the definition of a health care clearinghouse would be covered by HIPAA.
27.
See The HIPAA Privacy Rule and Health IT, Health Information Techonolgy, Department of Health and Human Services, available at <http://healthit.hhs.gov/portal/server.pt> (last visited June 24, 2009).
28.
Personal health records offered by covered entities would be covered by the Privacy Rule.
29.
National Committee on Vital and Health Statistics (NCVHS) Reports and Recommendations, Letter to the Secretary of the U.S. Department of Health and Human Services: Personal Health Record (PHR) Systems, September 9, 2005, available at <http://ncvhs.hhs.gov/050909lt.htm> (last visited June 24, 2009).
30.
See Center for Democracy and Technology, Comprehensive Privacy and Security: Critical for Health Information Technology, May 2008, available at <http://www.cdt.org/healthprivacy/20080514HPframe.pdf> (last visited June 24, 2009); see also Promoting the Adoption and Use of Health Information Technology: Hearing before the Subcomm. on Health of the H. Comm. on Ways and Means, 110th Cong. (2008) (statement of Deven McGraw, Director, Health Privacy Project, Center for Democracy and Technology), available at <http://cdt.org/testimony/20080724mcgraw.pdf> (last visited June 24, 2009).
31.
With respect to the leading bill in the Senate, the Wired for Health Care Quality Act (S.1693), the version marked up by the Health, Education, Labor and Pensions (HELP) Committee included a provision that would have subjected PHRs to coverage under HIPAA; however, a proposed amendment from Senator Leahy that was under serious consideration by bill sponsors would have stripped out this provision and replaced it a provision similar to those in the House bills.
32.
For an articulation of fair information practices as applied to a health information exchange environment, see The Markle Foundation, “Connecting Professionals: Private and Secure Information Exchange,” 2006, available at <http://www.connectingforhealth.org/commonframework/index.html> (last visited June 24, 2009). See also the Organization for Economic Cooperation and Development (OECD) Data Protection Principles (1980) extract from Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at <http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.html> (last visited June 24, 2009).
33.
HIPAA nondiscrimination provisions (Title I) prohibit individuals in group health plans from being denied eligibility for benefits or charged more for coverage because of any “health factor,” which includes health status and medical history or condition. These provisions do not apply to insurance purchased in the individual market. For a summary of these provisions, see Employee Benefits Security Administration, U.S. Department of Labor, “FAQs: About the HIPAA Nondiscrimination Requirements,” available at <http://www.dol.gov/ebsa/faqs/faq_hipaa_ND.html> (last visited June 24, 2009).
34.
The three states are Arkansas, California, and Delaware. For more information, see GageD., “California Data-Breach Law Now Covers Medical Information,”San Francisco Gate, January 4, 2008, available at <http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/04/BuR6U9000.DTL> (last visited June 24, 2009).
35.
A comprehensive analysis of state breach notification laws is beyond the scope of this paper.
36.
45 C.F.R. § 164.514(b)(1) (2007).
37.
45 C.F.R. § 164.514(b)(2) (2007).
38.
45 C.F.R. § 164.514(a)(b)(2)(ii) (2007).
39.
45 C.F.R. § 164.514(e) (2007).
40.
45 C.F.R. § 164.514(e)(3)-(4) (2007).
41.
SweeneyL., The Identifiability of Data (forthcoming book publication); see OchaS., Massachusetts Institute of Technology, “Reidentification of Individuals in Chicago's Homicide Database, A Technical and Legal Study,” November 2008, available at <http://web.mit.edu/sem083/www/assignments/reidentification.html> (last visited June 24, 2009).
42.
45 C.F.R. § 164.514(e)(4)(iii)(A) (2007).
43.
See supra note 4.
44.
45 C.F.R. § 164.501 (2007).
45.
Id.
46.
The Privacy Rule gives individuals a right to request a restriction on uses or disclosures of protected health information for treatment, payment and health care operations (and on disclosures to family or friends who are assisting in the individual's care), but the covered entity does not have to comply with the request. See 45 C.F.R. § 164.522(a) (2007).
47.
45 C.F.R. § 164.514(d) (2007).
48.
See Privacy and Security Solutions, supra note 20, at 3–5, 3–7.
See section (1) in the definition of health care operations, 45 C.F.R. § 164.501 (2007).
52.
Id.
53.
45 C.F.R. § 164.512(i) (2007).
54.
45 C.F.R. § 164.522(a) (2007).
55.
National Committee on Vital and Health Statistics (NCVHS) Reports and Recommendations, Letter to the Secretary of the U.S. Department of Health and Human Services: Privacy and Confidentiality in the a Nationwide Health Information Network (NHIN), June 22, 2006, recommending that individuals have a choice regarding whether or not their information is included in the NHIN. See also NCVHS Reports and Recommendations, Report to the Secretary of the U.S. Department of Health and Human Services: Individual Control of Sensitive Health Information Accessible via the NHIN for Purposes of Treatment, February 20, 2008, recommending individuals be allowed to sequester information in certain sensitive categories.
56.
Id. (NCVHS Report to the Secretary, February 20, 2008).
57.
Id.
58.
45 C.F.R. § 164.524(c)(2) (2007). Such access right is to information maintained in a designated record set, and exempts psychotherapy notes and a few other categories of information; see also 45 C.F.R. 164.524(a)(1) (2007).
59.
U.S. Department of Health and Human Services, Health Information Privacy, Compliance and Enforcement, “Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year,” available at <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.html> (last visited June 24, 2009).
Standards for Privacy of Individually Identifiable Health Information, 67 Federal Register 53,182 (August 14, 2002) (to be codified at 45 C.F.R pt. 160, 164).
64.
U.S. Department of Health and Human Services, HIPAA Frequently Asked Questions: About the Privacy Rule, “Why Was the Consent Requirement Eliminated from the HIPAA Privacy Rule, and How Will It Affect Individuals' Privacy Protections?” November 9, 2006, available at <www.hhs.gov/hipaafaq/about/193.html> (last visited February 3, 2009).
65.
45 C.F.R. § 164.508(b)(4) (2007).
66.
See, e.g., Discussion Draft of Health Information Technology and Privacy Legislation: Hearing before Subcomm. on Health of the H. Comm. on Energy and Commerce, 110th Cong. (2008) (written testimony of Dr. Deborah Peel, Founder & Chair, Patient Privacy Rights) available at <http://www.patientprivacyrights.org/site/DocServer/Peel_written_testimony_06.04.08.pdf?docID=4021> (last visited June 24, 2009). See also Privacy and Health Information: Hearing Before Subcomm. on Privacy and Confidentiality of the Nat'l Comm. on Vital and Health Statistics, U.S. Department of Health and Human Services, February 23, 2005 (testimony of Sue A. Blevins, Founder and President, Institute for Health Freedom), available at <http://www.ncvhs.hhs.gov/050224p6.htm> (last visited June 24, 2009).
67.
See, e.g., Center for Democracy & Technology, Rethinking the Role of Consent in Protecting Health Information Privacy, January 2009, available at <http://www.cdt.org/healthprivacy/20090126Consent.pdf> (last visited June 24, 2009).
68.
Id., at 14–19 for examples of approaches to consent taken by some state electronic exchange networks. For state profiles, see generally State-Level Health Information Exchange Consensus Project, Profiles of Sate-Level HIE Efforts, available at <http://www.slhie.org/efforts.asp> (last visited June 24, 2009).
69.
See NCVHS Letter to the Secretary (June 22, 2006), supra note 56.
Alonso-ZaldivarR., “Effectiveness of Medical Privacy Law Is Questioned,”Los Angeles Times, April 9, 2008, available at <http://www.latimes.com/business/la-na-privacy-9apr09,0,5722394.story> (last visited June 24, 2009). In July 2008, HHS announced that Seattle-based Providence Health & Services agreed to pay $100,000 as part of a settlement of multiple violations of the HIPAA regulations. But the press release from HHS made clear that this amount was not a civil monetary penalty. See also U.S. Department of Health and Human Services, HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information, News Release, July 17, 2008, available at <http://www.hhs.gov/news/press/2008pres/07/20080717a.html> (last visited June 24, 2009).
72.
For more information on the OLC memo and consequences, see SwireP., “Justice Department Opinion Undermines Protection of Medical Privacy,”Center for American Progress, June 7, 2005, available at <http://www.americanprogress.org/issues/2005/06/b743281.html> (last visited June 24, 2009).
