hipaa logo

Part 1: Learning About HIPAA (FAQ 10 of 65)

 

10. What are Fair Information Practices and How Do They Relate to HIPAA?

If you read the HIPAA privacy rule -- and stayed awake while doing it -- the rule would appear to be a welter of detailed and uncoordinated provisions. It actually has a structure, but that structure is difficult to appreciate unless you know about Fair Information Practices, or unless you read the Preamble to the rule. The rule implements Fair Information Practices (FIPs), an established set of principles for addressing concerns about information privacy. FIPs are especially significant because they form the basis of many privacy laws in the United States and, to a much greater extent, around the world. Understanding FIPs makes it easier to make sense of the HIPAA privacy rules.

The eight FIPs generally recognized are:

  1. Openness;
  2. Use Limitation;
  3. Purpose Specification;
  4. Collection Limitation;
  5. Data Quality;
  6. Security;
  7. Access and Correction; and
  8. Accountability.

We could discuss FIPs here in more detail, but it would be a distraction. Different versions of FIPs exist, and the actual application of FIPs to any set of personal records can be complex, variable, and controversial. We just want you to know that there are basic principles of information privacy that HIPAA (mostly) implements. You can read a short introduction to FIPS here: http://www.worldprivacyforum.org/fairinformationpractices.html. Understanding FIPs is not essential to understanding HIPAA, but it may help some people. But if you are interested, you can find a short (ten pages or so) history of FIPs at www.bobgellman.com/rg-docs/rg-FIPshistory.pdf.

SIDEBAR:

Fair Information Practices are important for information privacy other than health. Whenever you consider whether any record keeper is properly protecting the privacy of your personal information, you can use FIPs as a checklist for assessing privacy practices. If you see a privacy policy for an Internet site, a bank, or another company, try to determine if the policy addresses all eight FIPs. If it doesn't, then you already know that the policy isn't as good as it could be or should be. When a policy addresses FIPs, see how good a job the policy does in protecting your privacy. For example, a good policy may say that personal information is only disclosed when required by law or for necessary business purposes. A mediocre policy may allow for disclosure to affiliates for marketing or when disclosure is allowed by law. Allowed can be a major weasel word in a privacy policy. A weak policy may not address disclosure at all.

Jump to list of FAQs 1-65 | See all of Part 1