More resources

New Federal Privacy Regulations (Updated 4/29/02)
Bush Administration Makes Modifications to the Federal Rule On Medical Records Privacy

Final rules issued by the U.S. Department of Health and Human Services are generally strong, with important protections for mental health consumers

• New rights for consumers
• Restrictions on sharing and disclosure of information
• How the rules affect consumers in public mental health systems
• What a notice of privacy rights must include

On December 20, 2000, the U.S. Department of Health and Human Services issued the first comprehensive federal rule protecting the privacy of individuals' medical records. The rule was required under the 1996 Health Insurance Portability and Accountability Act (HIPAA). The regulations will become effective 60 days after being published in the Federal Register on December 28, pages 82461-82510. (For the full text, search by issue and page number at the Government Printing Office site, www.access.gpo.gov/su_docs/aces/aces140.html.) There is a two-year implementation phase before compliance is required.

This is a strong rule, with many protections for consumers. It sets a floor for privacy protection, but does not pre-empt (overrule) any state laws that give greater privacy protection, including both laws already enacted by states and statutes that may be enacted in the future. Accordingly, states are still free to add more protections.

Because of its strong consumer focus, the rule faces challenges. Health plans and providers have complained that it is too complex and expensive to implement, and congressional oversight hearings are likely. The Bush Administration will also be under pressure to roll back these protections.

A summary of the new regulation follows.

The regulations give consumers of mental health services new rights.

• The right to know how their medical records will be used and, in general terms, to whom medical information will be disclosed.
• The right to give informed consent before providers can use or disclose a consumer's health care information, even for routine purposes such as treatment, payment and the operation of a health plan. However, providers may condition treatment on the consumer's providing that consent. Health plans are permitted to seek and obtain informed consent for all covered services and may condition enrollment on consent to the sharing of information for the purposes of treatment, payment and health care operations.
• The right to prohibit disclosure for non-routine purposes, such as marketing and fundraising (although individuals may be contacted once for marketing and once for fundraising purposes and offered the opportunity to opt out of further communications of either type).
• The right to request restrictions on uses or disclosures of their information (such as requesting that information not be shared with a particular individual). The provider or health plan may decide if it will honor this request.
• The right to request that communications from the provider or plan be made in a certain way (such as prohibiting phone calls to the individual's home). This request must be honored unless it is unreasonable and creates an undue administration burden.
• The right to see and copy their own health information and to be provided documentation on who has had access to this information (this right no different for those who use mental health services than for any other individual). Individuals may be denied access to their records only when the access would endanger the life or physical safety of any individual.
• The right to request amendment to their record if it contains incorrect information.

The sharing and disclosure of information in a medical record is restricted.

• Information shared must be limited to the minimum necessary to accomplish the intended purpose of the use, except if information is shared for treatment purposes, when the entire record can be shared.
• Health plans and providers are given incentives to create and use information that does not disclose the consumer's identity (de-identified information).
• Providers and health plans must establish privacy-conscious business practices to protect health records e.g., training employees, designating a "privacy officer" to assist individuals with complaints and ensuring that appropriate safeguards are in place to protect the privacy of information.
• Special protections are provided for highly sensitive mental health information shared during psychotherapy. Psychotherapy notes may not be disclosed without the consumer's specific written authorization and health plans may not condition enrollment or eligibility for benefits on the individual's providing this authorization. However, a patient may also be denied access to psychotherapy notes.
• The rules restrict the use of health information by employers so that self-insured employers may not use health care information for purposes unrelated to health care, such as making personnel decisions.
• The regulations also establish the rules under which health information can be shared with next of kin, for the purposes of research, law enforcement, judicial and administrative procedures, and public health purposes, including fraud and abuse investigations, and workers' compensation (see details in each area below).

Next of kin: Information can be shared with the next of kin, unless the individual has expressly objected. Information disclosing that an individual is in a health care facility and describing in general terms the individual's condition (e.g., "critical") can be released without authorization, provided the individual has been given an opportunity to object to such sharing of information and has not objected. In addition, a health care facility may disclose to a family member or other relative "information directly related to such person's involvement with the individual's care or payment," provided that the individual has been given the opportunity to object to such sharing and has not objected. If the individual is incapacitated and unable to give informed consent, the health care entity may use professional judgement to determine whether sharing information with family members is in the individual's best interest.

Research: Health information can be disclosed to researchers only when the research protocol has been reviewed and approved by an Institutional Review Board (IRB). Previously, IRB approval was needed only for federally funded research. The rules extends the IRB role to cover privately funded as well as federally funded research and adds new criteria that IRBs must apply in making their decisions.

Law enforcement: Protections in this area are very weak. Providers and health plans are permitted to share information with law enforcement officials when the officials have obtained a court order, court-ordered warrant or subpoena, or through an administrative request. The administrative request may be obtained without a judge's review and in some cases can be written by the law enforcement officer him- or herself. In the case of an administrative request, there are some restrictions with respect to relevance of the information and the need for specificity, but there is no judicial oversight. Essentially law enforcement officers have great freedom of access to health information under these rules. Also, the rules permit the release of information when police are trying to identify a suspect, allowing the police to browse through identifiable health care information.

Judicial and administrative procedures: Providers and health plans are permitted to share information requested in the course of any judicial or administrative proceeding in response to a court order. The rules also permit sharing of health information in civil litigation. No judicial review is necessary before one party to litigation may subpoena medical records based on an assertion that they are relevant to the case. Records can also be released in response to a discovery request or other legal processes with no specific court order. As with law enforcement, some restrictions apply, but there is considerable flexibility for access to private health information when this is seen as necessary by the parties involved in civil litigation or during criminal proceedings.

Public health: Health information may be disclosed for public health activities, such as for prevention or control of disease, child abuse or neglect, domestic-violence reporting and quality control of products. Health information may also be disclosed for various activities related to health care oversight, including audits, administrative procedures and licensure.

Workers' compensation: Health care information may be disclosed to an employer by the employee's health provider or plan to evaluate whether the individual has a work-related illness or injury.

As a result of these new federal rules, all consumers will receive from their provider or health plan a notice of rights to health-information privacy. The federal regulations include requirements for the content of these notices. See a summary of the notice of privacy rights for what must be included in these notices.

How these rules affect consumers in public mental health systems

The regulations are structured in such a way that it is easy to see how they apply for people covered under a private health insurance plan. However, people who use public mental health system services are also protected.

The rules are easily applied for individuals using Medicaid.

• State Medicaid programs are considered "health plans" in the context of these regulations and must operate as such, protecting the privacy of information in the same way a private health plan must (as described above).
• Providers who provide services to Medicaid-covered individuals must follow these rules with respect to the sharing of information with other providers and with Medicaid (acting as a health plan). They must adhere to the rules for sharing information for public health purposes, with law enforcement or judicial systems and workers' compensation, as described above.
• Any individual health plan that operates Medicaid under contract (such as a health maintenance organization or a carve-out behavioral health care organization) is also a "health plan" under these rules when it offers Medicaid services, just as it is when it offers services to privately insured individuals.
• There is no difference in how these rules apply when a mental health authority (in place of the state Medicaid agency) operates parts of a Medicaid program (either under fee-for-service or through managed care).

Exceptions for public-sector mental health services

• The new federal privacy rules do not automatically apply when services are provided entirely through grant funds. Therefore, when state or federal grants fund a particular mental health service (as when a state passes federal block grant funds on to a community mental health center) only some of the protections described above will be in place.
• Mental health providers are required to adhere to the rules, following the rules regarding notification, consent, sharing of information, sharing only the minimum of information necessary for a specific purpose, etc.
• However, information collected by the state or county agency that gives the grant may not be as well protected as information collected by a private health plan or a Medicaid agency. The rule is not specific on how a granting agency must protect information, and officials in the Department of Health and Human Services told the Bazelon Center that final decisions on how the rules will or will not apply when services are funded through a grant will be made through a process of interpretation, which the Department will undertake. As of this date, these interpretative guidelines have not been issued; accordingly, this remains a gray area.
• Additionally, any information sharing required under "law" is permitted by this rule. A state law that mandates reporting of health care information therefore overrides the protections in these rules. This exception applies to state law and regulations but not to policy memoranda.
• State mental health authorities may also be able to collect certain information if it falls into the category of public health information. For example, collecting data on services use and costs, including data necessary to make unduplicated counts of individuals seen, could fall under this exemption. (Final clarity on this issue may also require interpretive guidelines from DHHS.)

Notice of Privacy Rights

Following is a summary of federal rules regarding the notice of privacy rights that health plans and health care providers must give users of health care services.

• The notice will be headed:

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

• The notice must describe how information will be used and disclosed for treatment, payment and for health care operations. It will also describe any other purposes for which the entity sending the notice will use or disclose information.
• The notice will explain that other uses and disclosures will only be made with your explicit written authorization.
• The notice will explain your right to request restrictions on certain uses and disclosures, to receive confidential communications, to inspect and copy the information and to amend health information that is not correct.
• The notice will state that you have the right to know with whom your health care information has been shared.
• The notice must state that you may complain to the covered entity or to the Secretary of HHS if you believe your privacy rights have been violated and how you may file a complaint with the covered entity. The name of a person who can be contacted for further information will also be included.
• After receiving this notice, you will be asked to sign an authorization for treatment, payment and health care operations. You have the right, under these federal rules, to sign or to request additional privacy protections and restrictions. You should make these requests at the time you are asked to sign an authorization.