National Academies Press: OpenBook

For the Record: Protecting Electronic Health Information (1997)

Chapter: Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information

« Previous: Appendix C National Library of Medicine Awards to Develop Health Care Applications of the National Information Infrastructure
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information

Title li-Preventing Health Care Fraud And Abuse; Administrative Simplification

Subtitle F-Administrative Simplification

SEC. 261. PURPOSE.

It is the purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.

SEC. 262. ADMINISTRATIVE SIMPLIFICATION.

(a) IN GENERAL.-Title XI (42 U.S.C. 1301 et seq.) is amended by adding at the end the following:

''PART C-ADMINISTRATIVE SIMPLIFICATION "DEFINITIONS

"SEC. 1171. For purposes of this part:

NOTE: The material reproduced in this appendix has been reprinted from an electronic version of the Congressional Record-House, July 31, 1996, H9495-H9499. It is intended for use as a general reference, and not for legal research or other work requiring authenticated primary sources.

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"(1) CODE SET.-The term 'code set' means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

"(2) HEALTH CARE CLEARINGHOUSE.-The term 'health care clearinghouse' means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

"(3) HEALTH CARE PROVIDER.-The term 'health care provider' includes a provider of services (as defined in section 1861(u)), a provider of medical or other health services (as defined in section 1861(s)), and any other person furnishing health care services or supplies.

"(4) HEALTH INFORMATION.-The term 'health information' means any information, whether oral or recorded in any form or medium, that-

"(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

"(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

"(5) HEALTH PLAN.-The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 2791 of the Public Health Service Act). Such term includes the following, and any combination thereof:

"(A) A group health plan (as defined in section 2791(a) of the Public Health Service Act), but only if the plan-

"(i) has 50 or more participants (as defined in section 3(7) of the Employee Retirement Income Security Act of 1974); or

"(ii) is administered by an entity other than the employer who established and maintains the plan.

"(B) A health insurance issuer (as defined in section 2791(b) of the Public Health Service Act).

"(C) A health maintenance organization (as defined in section 2791(b) of the Public Health Service Act).

"(D) Part A or part B of the Medicare program under title XVIII.

"(E) The medicaid program under title XIX.

"(F) A Medicare supplemental policy (as defined in section 1882(g)(1)).

"(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).

"(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.

"(I) The health care program for active military personnel under title 10, United States Code.

"(J) The veterans health care program under chapter 17 of title 38, United States Code.

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code.

"(L) The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

"(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5, United States Code.

"(6) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.—The term 'individually identifiable health information' means any information, including demographic information collected from an individual, that—

"(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

"(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

"(i) identifies the individual; or

"(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

"(7) STANDARD.—The term 'standard', when used with reference to a data element of health information or a transaction referred to in section 1173(a)(1), means any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction under sections 1172 through 1174.

"(8) STANDARD SETTING ORGANIZATION.—The term 'standard setting organization' means a standard setting organization accredited by the American National Standards Institute, including the National Council for Prescription Drug Programs, that develops standards for information transactions, data elements, or any other standard that is necessary to, or will facilitate, the implementation of this part.

"GENERAL REQUIREMENTS FOR ADOPTION OF STANDARDS

"SEC. 1172. (a) APPLICABILITY.—Any standard adopted under this part shall apply, in whole or in part, to the following persons:

"(1) A health plan.

"(2) A health care clearinghouse.

"(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1).

"(b) REDUCTION OF COSTS.—Any standard adopted under this part shall be consistent with the objective of reducing the administrative costs of providing and paying for health care.

"(c) ROLE OF STANDARD SETTING ORGANIZATIONS.—

"(1) IN GENERAL.—Except as provided in paragraph (2), any standard adopted under this part shall be a standard that has been developed, adopted, or modified by a standard setting organization.

"(2) SPECIAL RULES.—

"(A) DIFFERENT STANDARDS.—The Secretary may adopt a standard that is different from any standard developed, adopted, or modified by a standard setting organization, if—

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"(i) the different standard will substantially reduce administrative costs to health care providers and health plans compared to the alternatives; and

"(ii) the standard is promulgated in accordance with the rulemaking procedures of subchapter III of chapter 5 of title 5, United States Code.

"(B) NO STANDARD BY STANDARD SETTING ORGANIZATION.—If no standard setting organization has developed, adopted, or modified any standard relating to a standard that the Secretary is authorized or required to adopt under this part—

"(i) paragraph (1) shall not apply; and

"(ii) subsection (f) shall apply.

"(3) CONSULTATION REQUIREMENT.—

"(A) IN GENERAL.—A standard may not be adopted under this part unless—

"(i) in the case of a standard that has been developed, adopted, or modified by a standard organization, the organization consulted with each of the organizations described in subparagraph (B) in the course of such development, adoption, or modification; and

"(ii) in the case of any other standard, the Secretary, in complying with the requirements of subsection (f), consulted with each of the organizations described in subparagraph (B) before adopting the standard.

"(B) ORGANIZATIONS DESCRIBED.—The organizations referred to in subparagraph (A) are the following:

"(i) The National Uniform Billing Committee.

"(ii) The National Uniform Claim Committee.

"(iii) The Workgroup for Electronic Data Interchange.

"(iv) The American Dental Association.

"(d) IMPLEMENTATION SPECIFICATIONS.—The Secretary shall establish specifications for implementing each of the standards adopted under this part.

"(e) PROTECTION OF TRADE SECRETS.—Except as otherwise required by law, a standard adopted under this part shall not require disclosure of trade secrets or confidential commercial information by a person required to comply with this part.

"(f) ASSISTANCE TO THE SECRETARY.—In complying with the requirements of this part, the Secretary shall rely on the recommendations of the National Committee on Vital and Health Statistics established under section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)), and shall consult with appropriate Federal and State agencies and private organizations. The Secretary shall publish in the Federal Register any recommendation of the National Committee on Vital and Health Statistics regarding the adoption of a standard under this part.

"(g) APPLICATION TO MODIFICATIONS OF STANDARDS.—This section shall apply to a modification to a standard (including an addition to a standard) adopted under section 1174(b) in the same manner as it applies to an initial standard adopted under section 1174(a).

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"STANDARDS FOR INFORMATION TRANSACTIONS AND DATA ELEMENTS "SEC. 1173. (a) STANDARDS TO ENABLE ELECTRONIC EXCHANGE.—

"(1) IN GENERAL.—The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for-

"(A) the financial and administrative transactions described in paragraph (2); and

"(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs.

"(2) TRANSACTIONS.—The transactions referred to in paragraph (1)(A) are transactions with respect to the following:

"(A) Health claims or equivalent encounter information.

"(B) Health claims attachments.

"(C) Enrollment and disenrollment in a health plan.

"(D) Eligibility for a health plan.

"(E) Health care payment and remittance advice.

"(F) Health plan premium payments.

"(G) First report of injury.

"(H) Health claim status.

"(I) Referral certification and authorization.

"(3) ACCOMMODATION OF SPECIFIC PROVIDERS.—The standards adopted by the Secretary under paragraph (1) shall accommodate the needs of different types of health care providers.

"(b) UNIQUE HEALTH IDENTIFIERS.-

"(1) IN GENERAL.—The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers.

"(2) USE OF IDENTIFIERS.—The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used.

"(c) CODE SETS.—

"(1) IN GENERAL.—The Secretary shall adopt standards that-

"(A) select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) from among the code sets that have been developed by private and public entities; or

"(B) establish code sets for such data elements if no code sets for the data elements have been developed.

"(2) DISTRIBUTION.—The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1174(b).

"(d) SECURITY STANDARDS FOR HEALTH INFORMATION.—

"(1) SECURITY STANDARDS.—The Secretary shall adopt security standards that-

"(A) take into account—

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"(i) the technical capabilities of record systems used to maintain health information;

"(ii) the costs of security measures;

"(iii) the need for training persons who have access to health information;

"(iv) the value of audit trails in computerized record systems; and

"(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and

"(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.

"(2) SAFEGUARDS.—Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards—

"(A) to ensure the integrity and confidentiality of the information;

"(B) to protect against any reasonably anticipated—

"(i) threats or hazards to the security or integrity of the information; and

"(ii) unauthorized uses or disclosures of the information; and

"(C) otherwise to ensure compliance with this part by the officers and employees of such person.

"(e) ELECTRONIC SIGNATURE.—

"(1) STANDARDS.—The Secretary, in coordination with the Secretary of Commerce, shall adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1).

"(2) EFFECT OF COMPLIANCE.—Compliance with the standards adopted under paragraph (1) shall be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the transactions referred to in subsection (a)(1).

"(f) TRANSFER OF INFORMATION AMONG HEALTH PLANS.—The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.

"TIMETABLES FOR ADOPTION OF STANDARDS

"SEC. 1174. (a) INITIAL STANDARDS.—The Secretary shall carry out section 1173 not later than 18 months after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, except that standards relating to claims attachments shall be adopted not later than 30 months after such date.

"(b) ADDITIONS AND MODIFICATIONS TO STANDARDS.—

"(1) IN GENERAL.—Except as provided in paragraph (2), the Secretary shall review the standards adopted under section 1173, and shall adopt modifications to the standards (including additions to the standards), as determined appropriate, but not more frequently than once every 12 months. Any addition or modifi-

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

cation to a standard shall be completed in a manner which minimizes the disruption and cost of compliance.

"(2) SPECIAL RULES.—

"(A) FIRST 12—MONTH PERIOD.—Except with respect to additions and modifications to code sets under subparagraph (B), the Secretary may not adopt any modification to a standard adopted under this part during the 12-month period beginning on the date the standard is initially adopted, unless the Secretary determines that the modification is necessary in order to permit compliance with the standard.

"(B) ADDITIONS AND MODIFICATIONS TO CODE SETS.—

"(i) IN GENERAL.—The Secretary shall ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets.

"(ii) ADDITIONAL RULES.—If a code set is modified under this subsection, the modified code set shall include instructions on how data elements of health information that were encoded prior to the modification may be converted or translated so as to preserve the informational value of the data elements that existed before the modification. Any modification to a code set under this subsection shall be implemented in a manner that minimizes the disruption and cost of complying with such modification.

"REQUIREMENTS

"SEC. 1175. (a) CONDUCT OF TRANSACTIONS BY PLANS.—

"(1) IN GENERAL.—If a person desires to conduct a transaction referred to in section 1173(a)(1) with a health plan as a standard transaction—

"(A) the health plan may not refuse to conduct such transaction as a standard transaction;

"(B) the insurance plan may not delay such transaction, or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction; and

"(C) the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information.

"(2) SATISFACTION OF REQUIREMENTS.—A health plan may satisfy the requirements under paragraph (1) by—

"(A) directly transmitting and receiving standard data elements of health information; or

"(B) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse, and receiving standard data elements through the health care clearinghouse.

"(3) TIMETABLE FOR COMPLIANCE.—Paragraph (1) shall not be construed to require a health plan to comply with any standard, implementation specification, or modification to a standard or specification adopted or established by the Secretary under sections 1172 through 1174 at any time prior to the date on which the plan is required to comply with the standard or specification under subsection (b).

"(b) COMPLIANCE WITH STANDARDS.—

"(1) INITIAL COMPLIANCE.—

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"(A) IN GENERAL.—Not later than 24 months after the date on which an initial standard or implementation specification is adopted or established under sections 1172 and 1173, each person to whom the standard or implementation specification applies shall comply with the standard or specification.

"(B) SPECIAL RULE FOR SMALL HEALTH PLANS.—In the case of a small health plan, paragraph (1) shall be applied by substituting '36 months' for '24 months'. For purposes of this subsection, the Secretary shall determine the plans that qualify as small health plans.

"(2) COMPLIANCE WITH MODIFIED STANDARDS.—If the Secretary adopts a modification to a standard or implementation specification under this part, each person to whom the standard or implementation specification applies shall comply with the modified standard or implementation specification at such time as the Secretary determines appropriate, taking into account the time needed to comply due to the nature and extent of the modification. The time determined appropriate under the preceding sentence may not be earlier than the last day of the 180-day period beginning on the date such modification is adopted. The Secretary may extend the time for compliance for small health plans, if the Secretary determines that such extension is appropriate.

"(3) CONSTRUCTION.—Nothing in this subsection shall be construed to prohibit any person from complying with a standard or specification by—

"(A) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse; or

"(B) receiving standard data elements through a health care clearinghouse.

"GENERAL PENALTY FOR FAILURE TO COMPLY WITH REQUIREMENTS AND STANDARDS

"SEC. 1176. (a) GENERAL PENALTY.—

"(1) IN GENERAL.—Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

"(2) PROCEDURES.—The provisions of section 1128A (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.

"(b) LIMITATIONS.—

"(1) OFFENSES OTHERWISE PUNISHABLE.—A penalty may not be imposed under subsection (a) with respect to an act if the act constitutes an offense punishable under section 1177.

"(2) NONCOMPLIANCE NOT DISCOVERED.—A penalty may not be imposed under subsection (a) with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.

"(3) FAILURES DUE TO REASONABLE CAUSE.—

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

"(A) IN GENERAL.—Except as provided in subparagraph (B), a penalty may not be imposed under subsection (a) if-

"(i) the failure to comply was due to reasonable cause and not to willful neglect; and

"(ii) the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

"(B) EXTENSION OF PERIOD.—

"(i) NO PENALTY.—The period referred to in subparagraph (A)(ii) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.

"(ii) ASSISTANCE.—If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A)(ii). Such assistance shall be provided in any manner determined appropriate by the Secretary.

"(4) REDUCTION.—In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) that is not entirely waived under paragraph (3) may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.

"WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

"SEC. 1177. (a) OFFENSE.—A person who knowingly and in violation of this part-

"(1) uses or causes to be used a unique health identifier;

"(2) obtains individually identifiable health information relating to an individual; or

"(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).

"(b) PENALTIES.—A person described in subsection (a) shall-

"(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

"(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

"(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

"EFFECTS ON STATE LAW

"SEC. 1178. (a) GENERAL EFFECT.-

"(1) GENERAL RULE.—Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall supersede any contrary provision of State law, including a provision of State law that requires

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.

"(2) EXCEPTIONS.—A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall not supersede a contrary provision of State law, if the provision of State law—

"(A) is a provision the Secretary determines—

"(i) is necessary—

"(I) to prevent fraud and abuse;

"(II) to ensure appropriate State regulation of insurance and health plans;

"(III) for State reporting on health care delivery or costs; or

"(IV) for other purposes; or

"(ii) addresses controlled substances; or

"(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.

"b) PUBLIC HEALTH.—Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.

"(c) STATE REGULATORY REPORTING.—Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.

"PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS

"SEC. 1179. To the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following:

"(1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer.

"(2) The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)—

"(A) for transferring receivables;

"(B) for auditing;

"(C) in connection with—

"(i) a customer dispute; or

"(ii) an inquiry from, or to, a customer;

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

''(D) in a communication to a customer of the entity regarding the customer's transactions, payment card, account, check, or electronic funds transfer;

"(E) for reporting to consumer reporting agencies; or

"(F) for complying with—

"(i) a civil or criminal subpoena; or

"(ii) a Federal or State law regulating the entity.".

(b) CONFORMING AMENDMENTS.—

(1) REQUIREMENT FOR MEDICARE PROVIDERS.—Section 1866(a)(1)(42 U.S.C. 1395cc(a)(1)) is amended—

(A) by striking 'and' at the end of subparagraph (P);

(B) by striking the period at the end of subparagraph (Q) and inserting "; and"; and

(C) by inserting immediately after subparagraph (Q) the following new subparagraph:

"(R) to contract only with a health care clearinghouse (as defined in section 1171) that meets each standard and implementation specification adopted or established under part C of title XI on or after the date on which the health care clearinghouse is required to comply with the standard or specification.".

(2) TITLE HEADING.—Title XI (42 U.S.C. 1301 et seq.) is amended by striking the title heading and inserting the following:

"TITLE XI-—GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATION".

SEC. 263. CHANGES IN MEMBERSHIP AND DUTIES OF NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS.

Section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)) is amended—

(1) in paragraph (1), by striking "16" and inserting "18";

(2) by amending paragraph (2) to read as follows:

"(2) The members of the Committee shall be appointed from among persons who have distinguished themselves in the fields of health statistics, electronic interchange of health care information, privacy and security of electronic information, population-based public health, purchasing or financing health care services, integrated computerized health information systems, health services research, consumer interests in health information, health data standards, epidemiology, and the provision of health services. Members of the Committee shall be appointed for terms of 4 years.";

(3) by redesignating paragraphs (3) through (5) as paragraphs (4) through (6), respectively, and inserting after paragraph (2) the following:

"(3) Of the members of the Committee—

"(A) 1 shall be appointed, not later than 60 days after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, by the Speaker of the House of Representatives after consultation with the Minority Leader of the House of Representatives;

"(B) 1 shall be appointed, not later than 60 days after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, by the

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

President pro tempore of the Senate after consultation with the Minority Leader of the Senate; and

"(C) 16 shall be appointed by the Secretary.";

(4) by amending paragraph (5) (as so redesignated) to read as follows:

"(5) The Committee—

"(A) shall assist and advise the Secretary—

"(i) to delineate statistical problems bearing on health and health services which are of national or international interest;

"(ii) to stimulate studies of such problems by other organizations and agencies whenever possible or to make investigations of such problems through subcommittees;

"(iii) to determine, approve, and revise the terms, definitions, classifications, and guidelines for assessing health status and health services, their distribution and costs, for use (I) within the Department of Health and Human Services, (II) by all programs administered or funded by the Secretary, including the Federal State-local cooperative health statistics system referred to in subsection (e), and (III) to the extent possible as determined by the head of the agency involved, by the Department of Veterans Affairs, the Department of Defense, and other Federal agencies concerned with health and health services;

"(iv) with respect to the design of and approval of health statistical and health information systems concerned with the collection, processing, and tabulation of health statistics within the Department of Health and Human Services, with respect to the Cooperative Health Statistics System established under subsection (e), and with respect to the standardized means for the collection of health information and statistics to be established by the Secretary under subsection (j)(1);

"(v) to review and comment on findings and proposals developed by other organizations and agencies and to make recommendations for their adoption or implementation by local, State, national, or international agencies;

"(vi) to cooperate with national committees of other countries and with the World Health Organization and other national agencies in the studies of problems of mutual interest;

"(vii) to issue an annual report on the state of the Nation's health, its health services, their costs and distributions, and to make proposals for improvement of the Nation's health statistics and health information systems; and

"(viii) in complying with the requirements imposed on the Secretary under part C of title XI of the Social Security Act;

"(B) shall study the issues related to the adoption of uniform data standards for patient medical record information and the electronic exchange of such information;

"(C) shall report to the Secretary not later than 4 years after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996 recommendations and legislative proposals for such standards and electronic exchange; and

"(D) shall be responsible generally for advising the Secretary and the Congress on the status of the implementation of part C of title XI of the Social Security Act."; and

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

(5) by adding at the end the following:

"(7) Not later than 1 year after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:

"(A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.

"(B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.

"(C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.

"(D) Any problems that exist with respect to implementation of such part.

"(E) The extent to which timetables under such part are being met.".

SEC. 264. RECOMMENDATIONS WITH RESPECT TO PRIVACY OF CERTAIN HEALTH INFORMATION.

(a) IN GENERAL.—Not later than the date that is 12 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall submit to the Committee on Labor and Human Resources and the Committee on Finance of the Senate and the Committee on Commerce and the Committee on Ways and Means of the House of Representatives detailed recommendations on standards with respect to the privacy of individually identifiable health information.

(b) SUBJECTS FOR RECOMMENDATIONS.—The recommendations under subsection (a) shall address at least the following:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

(c) REGULATIONS—

(1) IN GENERAL.—If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act. Such regulations shall address at least the subjects described in subsection (b).

(2) PRE-EMPTION.—A regulation promulgated under paragraph (1) shall not supercede [sic] a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

stringent than the requirements, standards, or implementation specifications imposed under the regulation.

(d) CONSULTATION.—In carrying out this section, the Secretary of Health and Human Services shall consult with—

(1) the National Committee on Vital and Health Statistics established under section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)); and

(2) the Attorney General.

Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 233
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 234
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 235
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 236
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 237
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 238
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 239
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 240
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 241
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 242
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 243
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 244
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 245
Suggested Citation:"Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 246
Next: Appendix E Committee Biographies »
For the Record: Protecting Electronic Health Information Get This Book
×
Buy Hardback | $32.95 Buy Ebook | $26.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data—genetic information, HIV test results, psychiatric records—entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure—from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!