The Posner Law Firm

This page explains in the briefest possible form the scope of the new privacy rules promulgated by the Department of Health and Human Services in December 2000. We've also included HHS's summary of its new regulations.

Coverage: Health plans, health clearing ouses, and health care providers that conduct certain electronic transactions. Self-insured health plans with less than 50 participants are excluded.

Protected Information: All medical records and individually identifiable health information, however communicated. Rules for de-identifying records are established.

Limits on Disclosure and Use: Permissible for purposes of treatment, payment and operations pursuant to patient's general advance consent. Disclosure to patient or personal representative, or in emergencies, is permitted. A health care organization may withhold treatment from patient who does not consent. Use or disclosure for non-health care purposes is not permitted without written, voluntary, truly informed patient permission. Treatment or coverage cannot be conditioned on consent to non-health care use. Patient consent can be revoked at any time by a writing. Except for treatment purposes and a few other exceptions, disclosure must be limited to the minimum necessary for the purposes of the disclosure. Even for treatment purposes, disclosure must be limited to what is reasonably necessary to accomplish the purpose for which the request was made.

Permitted Disclosure without Consent: Disclosure is permitted to faciliate: Oversight of the health care system; public health; research approved by an independent privacy board or institutional review board; certain marketing and fundraising committees if targeted individuals are given the opportunity to opt out from receiving future communications; judical or administrative proceedings; certain law enforcment activities; emergencies and serious health/safety threats; certain other specified circumstances.

Disclosure is also permitted to "business associates" that assist covered entities in ministerial functions like billing, administration, etc. Covered entities are responsible for the conduct of their business associates.

Patient Control and Access: Health care organizations must notify patients re their privacy rights and have written privacy procedures; patients may see, copy and request amendments to their records; patients may request restrictions on the use of their records although providers need not comply; patients may complain to their provider (which must establish a grievance procedure) or to HHS about violations.

Preemption: The regulations preempt less stringent state laws but not more stringent state laws, except where state laws permit disclosures for civil purposes.

Effective Date: 2003.
E-mail us!
Denver Phone/Fax: 303-691-6999/ 303-692-9049

Evergreen Phone/Fax: 303-679-9841

4105 E. Florida Ave., Ste. 300, Denver, CO 80222

P.O. Box 495, Evergreen, CO 80437
home
Copyright 2001 Steve C. Posner

The purpose of this website is to advertise the firm and offer information as a public service. Steve C. Posner is admitted to practice in Colorado, New York and California, he has not practiced in California (inactive status). His New York experience has mostly been in clerking for New York's appellate courts and teaching at law school, and his private practice experience has nearly all been in Colorado. He has practiced in the areas of business law, intellectual property, medical privacy and medical malpractice, but as of August 2001, he has not litigated a health care fraud matter. The firm does not endorse, take responsibility for, or control any information on sites to which links are provided. Nothing in this website is intended as legal advice. You are strongly advised to seek legal counsel regarding any issues you may face.