LegiStorm

Summary:

The privacy and security of health information is recognized as a critical element of transforming the health care system through the use of health information technology. As part of H.R. 1, the American Recovery and Reinvestment Act of 2009, the 111th Congress is considering legislation to promote the widespread adoption of health information technology which includes provisions dealing with the privacy and security of health records. For further information, see CRS Report RS22760, Electronic Personal Health Records, by Gina Stevens. P.L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), directed HHS to adopt standards to facilitate the electronic exchange of health information for certain financial and administrative transactions. Health plans, health care clearinghouses, and health care providers are required to use standardized data elements and comply with the national standards and regulations. Failure to do so may subject the covered entity to penalties. The HIPAA Privacy Rule was adopted by HHS as the national standard for the protection of health information. It regulates the use and disclosure of protected health information by health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically; establishes a set of basic consumer protections; permits any person to file an administrative complaint for violations; and authorizes the imposition of civil or criminal penalties. Enforcement of the Privacy Rule began in 2003. The HIPAA Security Rule was adopted by HHS as the national standard for the protection of electronic health information. It requires covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; to protect against any reasonably anticipated threats or hazards to the security or integrity of such information, as well as protect against any unauthorized uses or disclosures of such information. The Centers for Medicare and Medicaid Services (CMS) has been delegated authority to enforce the HIPAA Security Standard, effective February 16, 2006. On March 16, 2006, the Final HIPAA Administrative Simplification Enforcement Rule became effective. The Enforcement Rule has both procedural and substantive provisions, and is applicable to all HIPAA administrative simplification standards. The Enforcement Rule establishes procedures for the imposition of civil money penalties for violations of the rules. Lawmakers and others are examining the statutory and regulatory framework for enforcement of the HIPAA Privacy and Security standards, and ways to ensure that agencies use their enforcement authority under HIPAA to address improper uses and disclosures of protected health information. Concerns have been raised by some that the HIPAA Privacy and Security Rules are being under enforced by HHS, DOJ, and CMS. Of approximately 41,107 health information privacy complaints filed with HHS since 2003, HHS found authority to investigate and resolve 7,729 cases. Criminal convictions have been obtained by DOJ in four cases involving employees of covered entities who improperly obtained protected health information. Since February 2006, CMS has not conducted any HIPAA Security Rule compliance reviews. This report provides an overview of the HIPAA Privacy and Security Rules, and of the statutory and regulatory enforcement scheme. In addition, it summarizes enforcement activities by HHS, DOJ, and CMS. This report will be updated.