Health Information Privacy Law and Policy
What Type of Patient Choice Exists Under HIPAA?
Most health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule), a federal privacy law that sets a baseline of protection for certain individually identifiable health information (“health information”).
The Privacy Rule generally permits, but does not require, covered health care providers to give patients the choice as to whether their health information may be disclosed to others for certain key purposes. These key purposes include treatment, payment, and health care operations.
How Can Patient Choice Be Implemented in Electronic Health Information Exchange?
While it is not required, health care providers may decide to offer patients a choice as to whether their health information may be exchanged electronically, either directly or through a health information exchange organization (HIE). That is, they may offer an “opt-in” or “opt-out” policy [PDF - 733 KB] or a combination.
Are There Specific Legal Requirements for Opt-In or Opt-Out Policies?
The U.S. Department of Health and Human Services (HHS) does not set out specific steps or requirements for obtaining a patient’s choice whether to participate in electronic health information exchange (eHIE). However, adequately informing patients of these new models for exchange and giving them the choice whether to participate is one means of ensuring that patients trust these systems. Providers are therefore encouraged to enable patients to make a “meaningful” consent choice rather than an uninformed one.
You can read more about patient choice and eHIE in guidance released by the Office for Civil Rights (OCR): The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment.[PDF - 168 KB]
Are There Privacy Laws that Require Patient Consent?
Yes. There are some federal and state privacy laws (e.g., 42 CFR Part 2, Title X of the Public Health Service Act) that require health care providers to obtain patients’ written consent before they disclose their health information to other people and organizations, even for treatment. Many of these privacy laws protect information that is related to health conditions considered “sensitive” by most people.
How Does HIPAA Affect These Other Privacy Laws?
HIPAA created a baseline of privacy protection. It overrides (or “preempts”) other privacy laws that are less protective. But HIPAA leaves in effect other laws that are more privacy-protective. Under this legal framework, health care providers and other implementers must continue to follow other applicable federal and state laws that require obtaining patients’ consent before disclosing their health information.
Federal, State, and Organization Resources about Consent, Personal Choice, and Confidentiality
The resources listed below provide links to some federal, state, and organization resources that may be of interest for those setting up eHIE policies in consultation with legal counsel. Implementers may also want to visit their state’s law and policy sites for additional information.
We encourage providers, HIEs, and other health IT implementers to seek expert advice when evaluating these resources, as privacy laws and policies continually evolve. The resources are not intended to serve as legal advice or offer recommendations based on an implementer’s specific circumstances.
Health Information in General
- Individual Choice: The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment [PDF - 168 KB] – guidance regarding the HIPAA Privacy Rule as it relates to the Choice Principle in the Privacy and Security Framework.
- Openness and Transparency and The HIPAA Privacy Rule [PDF - 160 KB] – guidance promoting clarity about policies, procedures, and technologies that directly affect patients and/or their health information.
Sensitive Health Information (e.g., behavioral health information, HIV/AIDS status, and genetic information)
- Mental Health and Substance Abuse: Applying the Substance Abuse Confidentiality Regulations (42 CFR Part 2) [PDF - 74 KB] – Frequently Asked Questions (FAQs) from the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office of the National Coordinator for Health Information Technology (ONC) to help providers in the behavioral health field better understand privacy issues related to health IT.
- Mental Health and Substance Abuse: Legal Action Center in Conjunction with SAMHSA’s Webinar Series on Alcohol and Drug Confidentiality Regulations (42 CFR Part 2) – slides and videos providing an overview of alcohol and drug confidentiality rules, further explanation of SAMHSA FAQs, and supplemental material.
- Mental Health and Substance Abuse: SAMHSA – Health Resources and Services Administration (HRSA) Center for Integrated Health Solutions – resources and examples to help providers fully understand and overcome confidentiality issues, including those related to pediatrics.
- Student Health Records: U.S. Department of Health and Human Services and Department of Education Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and HIPAA to Student Health Records [PDF - 266 KB] – overview of FERPA, HIPAA, and where they may intersect. This document also contains an FAQ section.
- Family Planning: Title X of the Public Health Service Act, 42 CFR 59.11 – Confidentiality – federal rules about consent and confidentiality of patient information as it pertains to federally funded family planning clinics.
- Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information [PDF - 61 KB] – ONC’s privacy and security policy framework for eHIE, meant to help guide the nation’s adoption of health IT and help improve the availability of health information and health care quality.
- Privacy and Security Program Instruction Notice (PIN) for State HIEs [PDF - 266 KB] – a common set of privacy and security requirements to help State HIE Cooperative Agreement recipients create privacy and security policies and practices for HIE services. The guidance also assists state policy leaders and other stakeholders who are setting up common privacy and security policies and practices for communities, regions, and states. The PIN can serve as a framework and offer specific direction and guidance to these efforts.
- Governance Framework for Trusted Electronic Health Information Exchange [PDF - 307 KB] – ONC’s guiding principles on HIE governance. The document provides a common conceptual foundation applicable to all types of governance models and expresses the principles ONC believes are most important for HIE governance. The Governance Framework does not prescribe specific solutions but lays out milestones and outcomes that ONC expects for and from HIE governance entities as they enable eHIE.
- Principles and Strategy for Accelerating HIE [PDF - 897 KB] – ONC’s general principles and strategy for accelerating health information exchange, including focusing on privacy and security issues and potential solutions.
Federal Advisory Committee (FACA) Recommendations
- Health IT Policy Committee’s Tiger Team’s Recommendations on Individual Choice [PDF - 123 KB] – FACA recommendations to HHS on privacy and security policies and practices that will help build public trust in HIT and eHIE and enable their proper use to improve health care quality and efficiency. These recommendations informed ONC’s State HIE PIN as well as the eConsent and Data Segmentation efforts.
- Health IT Policy Committee’s Tiger Team’s Recommendations on Exchange of Health Information in Query Response Models and Meaningful Consent [PDF - 280 KB] – set of recommendations on query models of exchange that includes meaningful choice for patients.
- National Committee on Vital Health Statistics (NCVHS) Recommendations Regarding Privacy and Confidentiality in the Nationwide Health Information Network [PDF - 810 KB] – report containing recommendations for a broad set of consistent privacy principles to be built into the Nationwide Health Information Network (NHIN), as well as into future federal health information privacy laws. These recommendations informed ONC’s State HIE PIN as well as the eConsent and Data Segmentation efforts.
- State and Federal Consent Laws Affecting Interstate Health Information Exchange [PDF - 782 KB]– legal standards and issues that should be addressed when developing policies around creation of consent strategies.
- State Law Requirements for Patient Permission to Disclose Health Information Report [PDF - 1.3 MB] – research findings into how the various state laws govern the disclosure of health information. This document also provides an overview of federal consent laws.
- Interstate Disclosure and Patient Consent Requirements Report – documentation of the state law requirements for disclosure of health information for treatment purposes within and across state lines.
Intrastate and Interstate Consent Policy Options Report – tools and resources for states and health care stakeholders to use to decide what level of choice is proper for patients regarding the electronic access, use, and disclosure of their health information. This also includes tools and resources that states can use to evaluate which, if any, of the interstate legal mechanisms they could successfully employ.
- Access to Minors’ Health Information [PDF - 238 KB] – section 3.2.6 of this report covers access to minors’ heath information. It includes a discussion of minors’ ability to consent to disclosure of related health information.
- Guidance for Developing Consent Policies for Health IT [PDF - 277 KB]– suggestions for crafting consent policies.
- Regional Health Information Organization (RHIO) Privacy Principles, Policies and Procedures – example of one RHIO’s documentation for their privacy policies and procedures.