Uh-oh, here comes the HHS privacy rule

Robert Gellman

To many people's surprise, the health privacy rule issued by the Health and Human Services Department became final in April. When HHS Secretary Tommy Thompson asked for comments on the rule in February, it was universally assumed that the rules would be pulled back and revised. Instead, it appears that President Bush overruled Thompson.

The degree of presidential interest in privacy is certainly notable.

The health privacy rule will affect every institution that provides or pays for health care, including federal agencies, which sometimes do both. They are already subject to the Privacy Act of 1974, which remains in full force, and they must find a way to reconcile the health privacy rule with the Privacy Act.

Both the HHS rule and the Privacy Act require agencies to notify people of privacy policies. Under the Privacy Act, some notices must be published in the Federal Register, and others belong on forms used to collect personal information.

Under the health privacy rule, individuals have a right to receive detailed notice of privacy practices. Agencies will have to prepare the required notice'and quite possibly several separate notices'in addition to the Privacy Act notices.

Both the HHS rule and the Privacy Act provide for patient access to and correction of records. The exceptions in the two laws are different, and patients should be able to obtain the maximum protection under either law.

The correction rules differ significantly. Under the HHS rule, the exceptions to correction cancel many of the rights, so anyone seeking correction of a federal record will use the Privacy Act procedure.

Disclosures of health records are restricted under both the HHS rule and the Privacy Act. Both permit some disclosures with consent, but the two have different procedural requirements. Disclosures without consent are also authorized under both, but the differences are significant, and it will take care to reconcile them.

Two observations emerge from comparing the act and the rule. First, HHS ignored experience with the Privacy Act and gave patients narrower rights to those records not maintained by federal agencies. This is especially true for access and correction. HHS chose this route even though patients' exercise of their rights has created no known problems or significant costs.

In access and correction, HHS looked privacy rights in the eye and blinked.

Second, the differences between the two regimes will create forum-shopping opportunities. If your doctor won't give you access to your records, see if a federal agency has a copy. The agency cannot withhold some things that the doctor can.

Agencies have a couple of years to prepare for the health privacy rule. They will have to revise forms, systems-of-record notices and other Privacy Act procedures. Some of the choices will be complex, so now is the time to start thinking about it. For agencies with lots of health records, it may take the full two years to get ready.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at [email protected].


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected