What kind of information is covered? Medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule. Primary areas of coverage: Consumer control over health information: Ensuring Patients understand their privacy rights Providers and health plans will be required to give patients a clear written explanation of how the covered entity may use and disclose their health information. The proposed modifications would strengthen the notice requirements by ensuring that patients generally would be asked to acknowledge the privacy notice, while eliminating a prior written consent requirement for uses and disclosures related to treatment, payment and health care operations (TPO) that would have created significant new barriers to patients' access to care. This change would preserve patients' opportunity to consider a provider's privacy practices before making health care decisions. Patient authorization would still be required to use and disclose information for non-routine purposes. Ensuring patient access to their medical records Patients generally will be able to see and get copies of their medical records, and request amendments. In addition, a history of most non-routine disclosures must be made available to patients on request. The proposed modifications would make clear that parents generally would have access to their children's medical records. Providing recourse is privacy regulations are violated People will have the right to file a formal complaint with a covered provider or health plan, or with HHS, about violations of the provisions of this rule. Boundaries on medical record use and release Ensuring that health information is not used for non-health purposes. Health information covered by the rule generally may not be used for purposes unrelated to health care - such as disclosures to employers to make personnel decisions, or to financial institutions - without explicit authorization from the individual. Clear, strong protections against marketing. The final privacy rule set new restrictions and limits on the use of patient information for marketing purposes. The proposed modifications would explicitly require covered entities to first obtain the individual's specific authorization before sending that person any marketing materials. Providing the minimum amount of information necessary. In general, uses or disclosures of information will be limited to the minimum necessary for the purpose of the use or disclosure. This provision does not apply to the disclosure of medical records for treatment purposes because physicians, specialists, and other providers need access to the full record to provide quality care. Safeguards for personal health information The final rule establishes the privacy safeguard standards that covered entities must meet. The requirements are flexible and scalable to account for the nature of each entity's business, and its size and resources. Covered entities generally will have to: Adopt written privacy procedures. These include a description of who has access to protected information, how it will be used within the entity, and when the information may be disclosed. Covered entities will also need to take steps to ensure that their business associates protect the privacy of health information. Train employees and designate a privacy officer. Covered entities will need to train their employees in their privacy procedures, and must designate an individual to be responsible for ensuring the procedures are followed. Accountability for medical records use and release In HIPAA, Congress provided penalties for covered entities that misuse personal health information. Civil penalties. Health plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per year for each requirement or prohibition violated. {IS THIS A MAXIMUM OF $25000 per patient per year, $100 per point violated?) For example, suppose your firm does not get a signed release indicating that each client/patient received a copy of the notice of your privacy procedures. And suppose you had 3,000 clients. The civil fine would be 3,000 times $100 or $300,000 for that year. Criminal penalties. Congress also established criminal penalties for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties are up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under "false pretenses"; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm. Balancing public responsibility with privacy protections In limited circumstances, the final rule permits -- but does not require -- covered entities to continue certain existing disclosures of health information without individual authorization for specific public responsibilities. These permitted disclosures include: Emergency circumstances Identification of the body of a deceased person, or the cause of death Public health needs Research, generally limited to when a waiver of authorization is independently approved by a privacy board or institutional review board Oversight of the health care system Judicial and administrative proceedings Limited law enforcement activities, and Activities related to national defense and security The privacy rule generally establishes new safeguards and limits on these disclosures. If there is no other law requiring that information be disclosed, covered entities will use their professional judgments to decide whether to disclose any information, reflecting their own policies and ethical principles. Special protection for psychotherapy notes Psychotherapy notes (used only by a mental health professional) are held to a higher standard of protection because they are not part of the medical record and are not intended to be shared with anyone else. All other personal health information is considered to be sensitive and protected consistently under this rule. Equivalent requirements for government entities The provisions of the final rule generally apply equally to private sector and public sector entities that are covered by the law. For example, both private hospitals and government medical units have to comply with the full range of requirements, such as providing notice, access rights and designation of a privacy officer. Cost of implementation The final rule projected the implementation costs at $17.6 billion over 10 years - a figure more than offset by the $29.9 billion in projected savings under the final electronic transactions regulation issued in August 2000. HHS estimates that the proposed modifications to the privacy rule would have a modest impact on reducing the overall cost of compliance. Preserving existing, strong state confidentiality laws State laws providing additional privacy protections continue to apply. The confidentiality protections are cumulative; the privacy rule will set a national "floor" of privacy standards that protect all Americans, and any state law providing additional protections would continue to apply. Where states have decided through law to require certain disclosures of health information, the final rule does not preempt these mandates. Compliance and enforcement The rule will be enforced by the HHS Office for Civil Rights (OCR). In July 2001, OCR issued its first set of guidance to answer many common questions about the new patient privacy rule and to clarify some questions regarding the rule's potential impact on health care delivery and access. Before the initial compliance date of April 14, 2003, OCR will provide additional guidance to providers, plans and health clearinghouses in meeting the requirements of the regulation. The initial guidance and other information about the new regulation are available on the Web at http://www.hhs.gov/ocr/hipaa/.