The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) took effect on April 14, 2001.

The purpose of the Privacy Rule was to create national standards to protect individuals' personal health information and give patients increased access to their medical records.

As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically.

Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule.

In addition to the issues addressed in the accompanying article by William Martin Sloane, J.D., LL.M., the following are some of rules of particular interest or importance to chiropractors.

Marketing -- The final Rule requires a covered entity to obtain an individual's prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value.

The HHS distinguishes between the types of communications that are and are not marketing, and makes clear that a covered entity is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization.

The Rule clarifies that doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing. For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses.

Consent and Notice -- The Department made changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional.

The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgment of the notice of privacy rights and practices. The final Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. The Rule also allows consent requirements already in place to continue.

Incidental Use and Disclosure -- The final Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements.

For example, if these requirements are met, doctors' offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse's stations without fear of violating the rule if overheard by a passerby.

Authorization -- The final Rule clarifies the authorization requirements to the Privacy Rule to, among other things, eliminate separate authorization requirements for covered entities. Patients will have to grant permission in advance for each type of non-routine use or disclosure, but providers will not have to use different types of forms. These modifications also consolidate and streamline core elements and notification requirements.

Parents and Minors -- The final Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice.

For example, where a state has explicitly addressed disclosure of a minor's health information to a parent, or access to a child's medical record by a parent, the final Rule clarifies that state law governs.

In addition, the final Rule clarifies that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents' ability to access the child's health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.

Protected Health Information: Exclusion for Employment Records - The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information.

On July 6, 2001, the Department issued its first guidance to answer common questions and clarify certain of the Privacy Rule's provisions. The revised guidance will be available on the HHS Office for Civil Rights Privacy Web site at www.hhs.gov/ocr/hipaa/.