Federal Rules Protecting Privacy of Employee Health Information Take Effect

Insurance, health care provider and pharmacy records containing confidential personal health information are now subject to stiffer privacy protection under regulations issued by the Department of Health and Human Services, as empowered by the federal Health Insurance Portability and Accountability Act of 1996, or HIPAA. Until recently it was left to the states to protect this type of confidential and personal information. The federal regulations were designed to cover the weaknesses in many of those state laws while preserving the stronger protection in areas such as mental health, HIV infection, and AIDS information. The rules took effect April 14, 2001, but most employers affected by the rules have until April 14, 2003 to comply. This is Part I of a two-part article.

The basic principle of the new rules is simple: "covered entities" cannot use or disclose "protected health information" except with the consent or authorization of the patient or as permitted under the regulations.

Who Are Covered Entities?

The rules apply to "covered entities," a term broadly defined to include most health plans, health care clearinghouses, health care providers, and their "business associates," i.e., those who perform services for such entities, like claims processing or administration, billing, data analysis, consulting or other related services. HHS states that an employer is a not a covered entity. However, an employer involved in the administration or operation of its plan through the claims review process or claims processing may become a covered entity subject to the rules. Also, the privacy rules will have an impact on employer compliance efforts with other employment laws, such as the Family and Medical Leave Act and the Americans with Disabilities Act.

What is Protected Health Information?

The final rule protects medical records and other individually identifiable confidential health information, in any form, whether written, electronic or oral, that is used or disclosed by a covered entity.

Patient Control over Protected Health Information

Covered entities must inform individuals (in written or electronic form) of their privacy rights, including the following rights:

  1. to see and obtain copies of protected information;
  2. to request amendments to protected information;
  3. to be notified how a covered entity intends to use and disclose protected information and of non-routine disclosures;
  4. to request that covered entities restrict use and disclosure of protected information; and
  5. to formally complain to a covered entity or to the Secretary of HHS regarding violations of rules and policies.