What is the HIPAA Privacy Rule? From https://www.hhs.gov/hipaa/for-professionals/privacy/index.html:
“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”
That is the official definition, but it’s got more holes in it than a wheel of Swiss cheese.
For starters, “The Rule requires appropriate safeguards to protect the privacy of personal health information…” is not an accurate statement.
If the Rule was requiring appropriate safeguards to protect privacy, it would require the patented hard disk firewall software that was ingeniously created by someone working out of the Royal Holloway University in London.
And, it would require patented keystroke encryption technology. And a plethora of 20 other technologies that, when expertly woven together, make 22…and create quite an un-hackable solution.
But oddly, the U.S. Department of Health and Human Services (HHS) got to write the safeguards instead of experts in electronic privacy (like us). They got to write the Rule because our elected officials didn’t.
So elected officials hand off to appointed officials, and exclude private experts. That’s the recipe for the Privacy Rule, and it’s also the recipe for disaster.
“The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.”
HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. The Department received over 52,000 public comments. The final regulation, The Privacy Rule, was published December 28, 2000.
In March 2002, the Department proposed and released for public comment modifications to the Privacy Rule. The Department received over 11,000 comments. The final modifications were published in final form on August 14, 2002. A text combining the final regulation and the modifications can be found at 45 CFR Part 160 and Part 164, Subparts A and E.”
But like any story worth telling, there’s a yellow brick road to follow. Or at least breadcrumbs.
And if you follow them faithfully, they lead you on a wild goose chase. Through a nightmare of a maze.
Or, to another branch of the government tree. Because where the “final modifications were published in final form on August 14, 2002. A text combining the final regulation and the modifications can be found at 45 CFR Part 160 and Part 164, Subparts A and E.” leaves off, it picks up again on Genetic Discrimination (yes, we said www.genome.gov):
“The Genetic Information Nondiscrimination Act (GINA) of 2008 protects Americans from discrimination based on their genetic information in both health insurance (Title I) and employment (Title II). Title I amends the Employee Retirement Income Security Act of 1974 (ERISA), the Public Health Service Act (PHSA), and the Internal Revenue Code (IRC), through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the Social Security Act, to prohibit health insurers from engaging in genetic discrimination.
The regulations governing implementation of GINA in health insurance took effect on December 7, 2009 and are implemented by the Internal Revenue Service, Department of Labor, and Department of Health and Human Services (HHS). GINA amends HIPAA to clarify that genetic information is health information and provides a finalized rule that went into effect March 26, 2013.”
You see, the final Privacy Rule was enacted in 2009 and went into effect in 2013.
As is usually the case with the HIPAA chase, we find ourselves going to the source – the “Federal Register.” That’s where you find the actual “Finalized Rule.”
Why do you need help with HIPAA? Because you won’t have time to run your practice if you do it (correctly) yourself (it’s a LOT).
From page 51698 (seriously) of : Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules found at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/genetic/ginanprm.pdf:
“DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
HIPAA Administrative Simplification: Standards for Privacy of Individually Identifiable Health Information
AGENCY: Office for Civil Rights, HHS.
ACTION: Proposed rule.
SUMMARY: The Department of Health and Human Services (HHS) proposes to modify certain provisions of the ‘Standards for Privacy of Individually Identifiable Health Information’’ (Privacy Rule), issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of these proposed modifications is to implement section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) regarding the privacy and confidentiality of genetic information, as well as to make certain other changes to the HIPAA Privacy Rule.”
Are you following? It’s hard, we know. It’s a road with many curves, and at some point you find yourself at a crossroads.
Which way to go?
Back to the Privacy Rule of 2000, or the Amended Privacy Rule of 2002? Or, on to the Final Privacy Rule of 2009, effective in 2013? Going backwards doesn’t seem wise, so onward we march…
The goal, total HIPAA compliance.
What is HIPAA compliance? You have to understand the Security Rules and Privacy Rules of HIPAA, but to be truly compliant you need to understand the amendments to the Rules.
“You have to learn the rules of the game. And then you have to play better than anyone else” – Albert Einstein.
Only this is not a game, and you are pretty confused. Stay with us; we are known for bringing hope to the hopeless.
In short, GINA is what changed the Privacy Rule into the final Privacy Rule. It stands for the Genetic Information Nondiscrimination Act of 2008.
This ride is about to get bumpy, and long (well, bumpier and longer, I suppose would be more accurate)… But fear not! We will be at the end of every paragraph to shed a little light, and let you sip from the Holy Grail of truth serum. There will be a star (*), to show you when we’ve showed up on the scene.
On May 21, 2008, President Bush signed into law the Genetic Information Nondiscrimination Act of 2008 (‘‘GINA’’), Public Law 110–233, 122 Stat. 881.
Congress enacted GINA to ‘‘establish [ ] a national and uniform basic standard [that] is necessary to fully protect the public from discrimination and allay their concerns about the potential for discrimination, thereby allowing individuals to take advantage of genetic testing, technologies, research, and new therapies.’’ GINA section 2(5).”
*Really? This is about “allowing individuals to take advantage of genetic testing, technologies, research, and new therapies?” You should know that researchers are exempt from needing written consent from patients to share their personal health information (PHI), though.
“To that end, GINA generally prohibits discrimination based on an individual’s genetic information with respect to both health coverage and employment. In particular, with respect to health coverage, Title I of GINA generally prohibits discrimination in group premiums based on genetic information, proscribes the use of genetic information as a basis for determining eligibility or setting premiums in the individual and Medicare supplemental policy (Medigap) insurance markets, and limits the ability of group health plans, health insurance issuers, and Medigap issuers to collect genetic information or to request or require that individuals undergo genetic testing.”
*Did they say require?
“Title II of GINA generally prohibits use of genetic information in the employment context, restricts acquisition of genetic information by employers and other entities covered by Title II, and strictly limits such entities from disclosing genetic information. The Departments of Labor (Employee Benefits Security Administration), Treasury (Internal Revenue Service), and HHS (Centers for Medicare & Medicaid Services) are responsible for administering and enforcing the GINA Title I nondiscrimination provisions, and the Equal Employment Opportunity Commission (EEOC) is responsible for administering and enforcing the GINA Title II nondiscrimination provisions.”
*Sometimes, it’s about what’s unseen. And sometimes, it’s about what’s unsaid.
Please note, GINA does not prohibit the use of genetic information in determining eligibility for life insurance, or for deciding when to take out a policy. That would put owners of nursing homes on the winner list, and life insurance companies would make the hall of fame winner list. Know when to hit, and know when to hold ’em.
“In addition to these nondiscrimination provisions, Title I of GINA contains certain new privacy protections for genetic information. In particular, section 105 of GINA, entitled ‘‘Privacy and Confidentiality,’’ amends Part C of Title XI of the Social Security Act by adding section 1180 to address the application of the HIPAA Privacy Rule to genetic information. Section 1180 requires the Secretary of HHS to revise the Privacy Rule to clarify that genetic information is health information and to prohibit group health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes.”
*But not other purposes.
“In this proposed rule, HHS is proposing to implement the modifications required by GINA section 105, as well as to make certain other modifications to the HIPAA Privacy Rule, and seeks public comment on its proposal. In developing its proposal, HHS consulted with the Departments of Labor and Treasury, as required by section 105(b)(1) of GINA, to ensure, to the extent practicable, consistency across the regulations. In addition, HHS coordinated with the EEOC in the development of these regulations.”
*Maybe they should have consulted a human rights advocacy group? Again, no mention of life insurance. Which boasts the most guaranteed return on investment that the world has ever known, by the way. For now, until artificial intelligence helps us solve the problem of death.
“II. Description of Proposed Modifications Overview and Scope In accordance with section 105 of GINA and the Department’s general authority under sections 262 and 264 of HIPAA, the Department proposes to modify the HIPAA Privacy Rule to: (1) Explicitly provide that genetic information is health information for purposes of the Rule; (2) prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes;”
*Again, does not apply to other purposes, or to life insurers. Or to disability insurance plans. We aren’t sure why, because disability and death certainly relate to health and health information.
“(3) revise the provisions relating to the Notice of Privacy Practices for health plans that perform underwriting;”
*But not life insurers or disability insurance providers that perform underwriting.
“(4) make a number of conforming modifications to definitions and other provisions of the Rule; and”
*This is probably where you should just stare at your screen in disbelief, or feel shocked and appalled…or cry, if you are a crier. That’s pretty vague, and you are still 100% required to be compliant.
“(5) make technical corrections to update the definition of ‘‘health plan.’’
*How many ways are there to define two one-syllable words?
“Section 105 of GINA requires HHS to modify the Privacy Rule to prohibit ‘‘a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare [sic] supplemental policy’’ from using or disclosing genetic information for underwriting purposes.
*But not life insurance issuers that issue life insurance. Did we mention the remarkable ROI of life insurance, especially if you know when to take out a policy? Not too much longer, but inside of the two-year waiting period would be an ideal sweet spot.
“GINA section 105 provides that the terms ‘‘group health plan’’ and ‘‘health insurance coverage’’ have the meanings given such terms under section 2791 of the Public Health Service Act (42 U.S.C. 300gg–91), and that the term ‘‘medicare [sic] supplemental policy’’ has the meaning given such term in section 1882(g) of the Social Security Act. In addition, the term ‘‘health insurance issuer,’’ as defined at 42 U.S.C. 300gg– 91, includes a health maintenance organization (HMO). These four types of health plans (i.e., group health plans, health insurance issuers, and health maintenance organizations, as defined in the Public Health Service Act, as well as issuers of Medicare supplemental policies), correspond to the types of health plans listed at subparagraphs (i) through (iii) and (vi) of paragraph (1) of the definition of ‘‘health plan’’ at § 160.103 in the HIPAA Privacy Rule. In addition to these four categories of health plans, the HIPAA Privacy Rule also applies to many other types of health plans, including: (1) Long-term care policies (excluding nursing home fixed-indemnity policies);”
“(2) employee welfare benefit plans or other arrangements that are established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers (to the extent that they are not group health plans or health insurance issuers); (3) high risk pools that are mechanisms established under State law to provide health insurance coverage or comparable coverage to eligible individuals; (4) certain public benefit programs, such as Medicare Part A and B, Medicaid, the military and veterans health care programs, the Indian Health Service program, and others; as well as (5) any other individual or group plan, or combination of individual or group plans that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg–91(a)(2)). This last category includes, for example, certain ‘‘excepted benefits’’ plans described at 42 U.S.C. 300gg–91(c)(2), such as limited scope dental or vision benefits plans.”
*Excepted list also includes disability plans, long-term and nursing home plans, and life insurance plans (we read the U.S. code 42 U.S.C. 300gg–91(c)(2)).
“See the definition of ‘‘health plan’’ at § 160.103. The Department proposes to apply the prohibition in GINA on using and disclosing protected health information that is genetic information for underwriting to all health plans that are subject to the Privacy Rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. We believe that this interpretation is consistent with both GINA and the Secretary’s broad authority under HIPAA.”
*We agree. We just don’t understand why their interpretation doesn’t include the biggest threat to health (death), or why the Secretary has such broad authority.
“Section 264 of HIPAA (42 U.S.C. 1320d–2 note) provides the Secretary with authority to promulgate privacy standards that govern: (1) The rights that an individual who is a subject of individually identifiable health information should have.”
*Common theme, this authority of the Secretary.
“(2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required. Accordingly, the Secretary has wide latitude to promulgate privacy standards that limit the use or disclosure of individually identifiable health information, including genetic information.”
*Now it’s “wide latitude.” Interestingly, it seems like this is a loophole for the Secretary to change any thing at any time, legally. Thank goodness for democracy, or this would be scary.
“Furthermore, section 262 of HIPAA, codified at 42 U.S.C. 1320d– 1, states that: Any standard adopted under this part shall apply, in whole or in part, to the following persons: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1).”
*Just not life insurance issuers, or administrators of nursing home fixed-indemnity plans. Winner, winner, chicken dinner.
“While other portions of HIPAA were limited to group health plans, see, e.g., sections 101 and 102 of HIPAA, the Administrative Simplification subtitle governs a substantially broader definition of ‘‘health plan,’’ 42 U.S.C. 1320d, and instructs that ‘‘any standard’’ will apply to all such health plans. Based on this broad definition of ‘‘health plan,’’ the wide latitude Congress provided to the Secretary to promulgate privacy standards, and the charge that ‘‘any standard’’ should apply to all health plans, we interpret that the HIPAA administrative simplification provisions provide the Secretary with broad authority to craft privacy standards that uniformly apply to all health plans, regardless of whether such health plans are governed by other portions of the HIPAA statute.”
*No comment, because really…what is there to say? Besides why did they use the word “craft?”
Clinton signed HIPAA into law, Bush signed GINA into law, Obama signed HITECH into law, but the Secretary trumps them all- and the Final Privacy Rule is subject to change at any time.
And, this applies to personal health information (PHI). Not to everything else, so the massive Equifax Breach of 2017 doesn’t violate the Privacy Rule. It does, however, affect nearly half of the country.
All of whom (not literally, but a huge number) signed up for penalty payment checks of $125. Except the settled upon amount has changed, and people may get pennies now (literally).
But how much was all that data worth, when half the country voluntarily updated Equifax’s records with current and correct contact information- making Equifax the now undisputed owner of the largest amount of accurate PII on Americans?
Personally identifiable information. Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data. And in a world that feeds on big data, it is very (VERY) valuable.
Ironic, how Equifax became a winner by “suffering” one of the most harmful privacy breaches in history. It seems you can have your PII, and eat your cake too…
OPTION 1 FOR LIGHTNING
OPTION 2 FOR THUNDER