The HIPAA Privacy Rule and Bioterrorism Planning, Prevention, and Response

James G. Hodge, Jr.; Erin Fuse Brown; Jessica P. O'Connell


Biosecur Bioterror. 2004;2(2) 

In This Article

A Brief Legal Overview of the HIPAA Privacy Rule

Prior to the implementation of the Privacy Rule, there existed fragmented and varied laws and policies concerning health information privacy.[4] The U.S. Constitution does not explicitly grant individuals a right to health information privacy, and judicial decisions (or case law) have not generally supported an individual's broad expectation of health information privacy. An array of federal and state laws, including the federal Privacy Act of 1974,[5] the Freedom of Information Act of 1966 (FOIA),[6] and the E-Government Act of 2002[7] (and their state, tribal, or local equivalents), address health information privacy.[4] These privacy laws apply to certain types of health information collected or maintained in specific settings or for particular purposes.[8] Although full discussion of these privacy laws exceeds the scope of this article, it is important to note that the Privacy Rule exists within this larger universe of federal and state health information privacy laws that may also affect the sharing of health data. Furthermore, as discussed below, the Privacy Rule does not apply to all potential exchanges of health data that may occur in response to a bioterrorism event.

Congress passed HIPAA in 1996 in part to improve the efficiency of the provision of health care by encouraging the development of standardized communication systems between various health-care entities. Having failed to pass a comprehensive health information privacy law within 3 years of HIPAA's passage, Congress directed DHHS to develop and implement privacy protections through administrative regulations. After months of drafting and public comments, DHHS promulgated the first systematic national privacy protections through the HIPAA Privacy Rule in December 2000. DHHS's Office for Civil Rights (OCR) now administers the Privacy Rule, which took effect for most covered entities on April 14, 2003. The scope of the Rule is briefly discussed below.

Congress expressly limited the application of the Privacy Rule to "covered entities."[9] Covered entities include health plans (e.g., health insurance companies, managed care entities, and specifically named government health programs), health-care clearinghouses (e.g., billing services, repricing companies, or community health information systems that process health data), and health-care providers (e.g., doctors, hospitals, clinics) that conduct transactions electronically.[10] DHHS carried forward the application of the Rule to their business associates (e.g., claims processors, billing managers, data analyzers, and others).[10] Others who acquire, use, disclose, or store protected health information (PHI) -- such as employers; auto, life, and worker compensation insurers; and social welfare agencies -- are not directly covered.[2] Although the Privacy Rule is expressly directed to the identified covered entities and their business associates, its coverage does not stop there. The Rule also applies to anyone who conducts "covered functions" (i.e., functions that assimilate the provision of health-care or insurance services) and also conducts electronic transactions of PHI as part of the provision or payment for these services.[11] Thus, outside of a bioterrorism event, if a local public health authority provides vaccinations to low-income children as a service to the community (and also bills its minimal costs through electronic means), the local public health authority is treated under the Privacy Rule like a medical practitioner who performs similar services.[2] At least in its capacity as the provider of covered functions, the local public health authority must adhere to the Privacy Rule requirements.

In response to a bioterrorist event, many people and organizations other than typical health-care providers -- such as members of the National Guard or volunteer organizations, or firefighters -- may be required to provide health-care services to individuals. When coupled with electronic transmissions of PHI, these acts may trigger coverage under the Privacy Rule even during an emergency. Application of the Privacy Rule to nontraditional health-care providers could interfere with the free exchange of identifiable health information in response to a bioterrorism scenario.

The Privacy Rule protects most individually identifiable health information created or received in any form (e.g., electronic, paper-based) by covered entities. "Protected health information" includes individually identifiable data that relate to the past, present, or future physical or mental health or condition of a person, the provision of health care to a person, or the payment for health-care services.[12] PHI does not include nonidentifiable health information or "de-identified data." Nonidentifiable health information is any collection of health information that does not (or cannot when coupled with other accessible information) identify the individuals to whom it pertains. De-identified data include aggregate health statistics, data stripped of unique identifiers (which are specifically listed in the Rule), or data certified by a qualified statistician as incapable of being used to identify an individual.[13]

Covered entities are responsible for establishing and adhering to various privacy protections related to PHI. These include:

  • Notifying individuals regarding their privacy rights and how their PHI is used or disclosed;[14]

  • Adopting and implementing internal privacy policies and procedures;[15]

  • Training employees to understand privacy policies and procedures;[16]

  • Designating people to be responsible within the organization for implementing privacy policies and procedures;[17]

  • Establishing appropriate administrative, technical, and physical safeguards to protect the privacy of PHI;[18] and

  • Assisting health consumers in exercising their rights to inspect their PHI and to request corrections or amendments to it.[19]

The Rule also requires covered entities to account for many disclosures.[20] Under this requirement, individuals can request and review a list of disclosures of their PHI over a certain period of time (usually 6 years). Generally, a covered entity must document the date, recipient and address, and purpose or use for most disclosures; they do not need to document disclosures made:

  • for treatment, payment, and health-care operations;

  • in limited data sets via data use agreements;

  • pursuant to individual written authorization;

  • to the individual;

  • for national security or intelligence purposes; or

  • to correctional and custodial institutions.

Accounting requirements may be temporarily suspended for disclosures to health oversight agencies or law enforcement officials if accounting would unduly impede the agencies' or officials' activities. Less extensive accounting requirements are allowed for multiple disclosures of PHI to the same person for the same purpose (e.g., regular, routine disclosures for public health surveillance activities) or for research involving 50 or more individuals.[2] The DHHS Office for Civil Rights clarifies concerning disclosures of large sets of health data to public health authorities:

The Privacy Rule does not require a notation in each medical record that has been accessed by public health authorities, as long as the information required under the Privacy Rule is included in the accounting for disclosures. Where, as with many public health disclosures, access to an entire universe of records is involved, tracking disclosures can be accomplished without the need for documentation in each record.[21]

Covered entities must also limit the amount of data disclosed to the minimum necessary to achieve the specified goal. The Rule suggests that a covered entity establish a minimum necessary policy that governs how it will release PHI.[22] Presumably, strict adherence to a minimum necessary standard could impede some disclosures. Covered entities may seek to restrict the amount of PHI they disclose to public health authorities. However, the Rule clarifies that covered entities may permissibly defer to public health or law enforcement authorities for clarification of how much health data are minimally necessary to meet the stated purposes for the disclosure.[23] Thus, these authorities (and not covered entities) should largely determine the extent of health data needed from covered entities under the Rule.

As a federal regulatory standard, the Privacy Rule serves as a federal floor of protections for PHI. It thus preempts contrary state or local laws (i.e., state laws that provide less privacy protection or interfere with Privacy Rule requirements).[24] However, the Rule does not preempt state or local health information privacy laws that offer more stringent protections. State or local laws that are more protective of health information privacy rights than the Rule remain in effect.[4] In addition, state public health laws that require or authorize the disclosure of PHI for public health or other purposes or govern the privacy and confidentiality of public health information are not affected by the Rule. Specifically, the Rule leaves intact public health laws that provide for "the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention."[25]

The Privacy Rule specifically addresses how and under what circumstances covered entities may disclose PHI outside their organizations. In general, a covered entity may not disclose PHI without individual written authorization[26] subject to a series of exceptions. A covered entity must disclose PHI without patient authorization when (1) an individual requests a copy or accounting of his or her own PHI, or (2) when DHHS needs access to PHI to facilitate an ongoing compliance investigation under the Rule.[27] Covered entities may disclose PHI without individual authorization to other entities for treatment, payment, and health-care operations purposes (a standard part of most health-care transactions).[28] Several additional exceptions allowing covered entities to disclose PHI without individual authorization are discussed below.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.