31 J.L. Med. & Ethics 70 (2003)
The HIPAA Privacy Rule: Reviewing the Post-Compliance Impact on Public Health Practice and Research

handle is hein.journals/medeth31 and id is 814 raw text is: The HIPAA Privacy Rule: Reviewing
the Post-Compliance Impact on Public
Health Practice and Research

Lora Kutkat, James G. Hodge, Jr., Thomas Jeffry, Jr.,
and Diana M. Bontdt (Moderator)

Diana M. Bontd
C urrent economic conditions have coincided
with the implementation of the Health
Insurance Portability and Accountability Act
(HIPAA) and forced public health officials to
consider how to ethically incorporate compliance
into their already strained budgets, while main-
taining the integrity and intent of the legislation.
Lora Kutkat
As of April 14, 2003, the HIPAA Privacy
Rule provides a new federal floor of
protections for personal health information. The
Privacy Rule establishes standards for the protec-
tion of health information held by many physi-
cians' offices, health plans, and health care clear-
inghouses. The Rule protects personal health
information by establishing conditions regulating
the use and disclosure of individually identifiable
health information by these entities, also referred
to as covered entities. The Rule does not prevent
the daily operations of health care establishments
(i.e., the treatment of patients and the collection
of payment). These activities are considered
routine, expected operations in health care estab-
lishments, and as such, an individual's permission
is not required under the Privacy Rule when
personal health information is used for these, and
limited other, purposes.
The Privacy Rule applies only to those organi-
zations and individuals that qualify as covered
entities. The Privacy Rule's application to
research is determined by whether a covered entity
is conducting the research. If research is being

conducted by a covered entity, then the HIPAA
regulations generally apply to that covered
entity's uses and disclosures of protected health
information for research. On the other hand,
many researchers who collect and release personal
health information will not have to comply with
the Privacy Rule because they will not be covered
Most individually identifiable health informa-
tion held by covered entities, referred to as
protected health information (PHI), is protected
by the Privacy Rule. PHI exists only when three
elements occur simultaneously: when health
information with an identifier (e.g., name,
address, social security number, date of birth, or
other knowledge that the health information is
individually identifiable) is held or maintained by
a covered entity. The Privacy Rule does not apply
when one or more of these elements is missing.
Under the Privacy Rule, research conducted
by a covered entity must generally be conducted
with an individual's authorization. There are
several exceptions to this rule, however. For
example, the Privacy Rule sets standards to
de-identify health information and create a limited
dataset. A limited dataset is protected health
information minus direct identifiers and may be
used or disclosed for research and public health
activities when a data use agreement is in effect
between the covered entity and the recipient of the
information. In addition, an Institutional Review
Board (IRB) or a privacy board may waive the
authorization requirement, a process slightly dif-
ferent from waiving informed consent. IRBs and
privacy boards can waive authorization when it

What Is HeinOnline?

With comprehensive coverage of government documents and more than 2,400 journals from inception on hundreds of subjects such as political science, criminal justice, and human rights, HeinOnline is an affordable option for colleges and universities. Documents have the authority of print combined with the accessibility of a user-friendly and powerful database.

Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline with pricing starting as low as $29.95

Already a HeinOnline Subscriber?