image: OCR Newsletter banner 

Summer 2000                                               OCR UPdate - 8

OCR to Enforce Health Information Privacy Standards

U.S. Department of Health and Human Services (DHHS) Secretary Donna Shalala plans to give OCR responsibility for enforcing the recent health information privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, DHHS must establish regulations protecting the privacy of individually identifiable health information held by health plans, health care providers and clearinghouses ("covered entities"). This landmark legislation provides individuals—for the first time—with federal protection against inappropriate use and disclosure of personal health information.

The proposed rule, 45 CFR Parts 160 through 164, Standards for Privacy of Individually Identifiable Health Information, was published in the Wednesday, November 3, 1999 edition of the Federal Register (Vol. 64, No. 212, pp. 59918-60065). The comment period ended on February 17, 2000. The Department has received more than 52,000 comments on this regulation. DHHS is reviewing and analyzing these comments, and will be preparing a final rule. Covered entities must comply with the rule two years and two months following the publication date of the final rule.

Under the proposal, covered entities would not be able to use or disclose an individual's protected health information except as provided under the regulation. The regulation also requires health plans and health care providers: (1) to provide individuals with a notice of their privacy policies and procedures; (2) to allow individuals to inspect and obtain a copy of health information in their medical records; (3) to provide individuals with an accounting of disclosures of their health information; and (4) to either correct errors in an individual's record or to allow the individual to include a statement of disagreement in that record.

Individuals who believe a covered entity has violated these or other privacy rights under the regulation would be able to file a complaint with OCR. There is no private right of action, so an OCR complaint will be the only recourse for aggrieved parties.

OCR has already begun the process of developing the necessary infrastructure to enforce the regulation. Our initial efforts will place heavy emphasis upon education and technical assistance. Prevention and education can prevent a myriad of potential violations.

Page 1, Page 2, Page 3 - Contents, Page 4, Page 5, Page 6, Page 7, Page 8, Page 9, Page 10, Page 11, Page 12, Page 13, Page 14, Page 15, Page 16, Page 17, Page 18, Page 19

Return to HHS Home Page Return to OCR Home Page