Compliance with the HIPAA Medical Privacy Rule (CRS Report for Congress)
Release Date |
April 24, 2003 |
Report Number |
RS21505 |
Report Type |
Report |
Authors |
Gina Marie Stevens, American Law Division |
Source Agency |
Congressional Research Service |
Summary:
As of April 14, 2003, most health care providers (including doctors and hospitals) and health plans are required to comply with the new Privacy Rule mandated by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and must comply with national standards to protect individually identifiable health information. The HIPAA Privacy Rule creates a federal floor of privacy protections for individually identifiable health information; establishes a set of basic consumer protections; institutes a series of regulatory permissions for uses and disclosures of protected health information; permits any person to file an administrative complaint for violations; and authorizes the imposition of civil or criminal penalties. In hearings prior to the effective date of the Rule, there was widespread concern over aspects of the rule, including the extent to which it preempted state laws. On April 17, 2003, HHS published an interim final rule establishing the rules of procedure for investigations and the imposition of civil money penalties concerning violations. This interim final rule will be effective May 19, 2003 through September 16, 2003. HHS plans to issue a complete Enforcement Rule with both procedural and substantive provisions after notice-and-comment rulemaking. This report will be updated.