hipaa logo

Introduction and Purpose (FAQ 3 of 65)

 

3. What Federal Laws Are Relevant to Health Privacy?

HIPAA is the most important federal health privacy law for almost everybody. Most of this guide explains what you should know about HIPAA. This guide also highlights some other federal laws that may be relevant to health privacy. There are five federal laws beyond HIPAA we think you should know about, each of these touch on privacy slightly differently.

They are:

  • Privacy Act of 1974
  • Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
  • Family Educational Rights and Privacy Act (FERPA)
  • Americans with Disabilities Act (ADA)
  • Genetic Information Nondiscrimination Act (GINA)

We discuss each of these laws briefly below.

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 federal statute. Most of this guide focuses on HIPAA. To read more about HIPAA, start with FAQ 4. To get a more complete overview of HIPAA, FAQs 4 through 12 offer a good starting point. Privacy Act of 1974.

An important federal privacy law is the Privacy Act of 1974 www.usdoj.gov/oip/privstat.htm. The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors. It applies to military health records, veterans' records, Indian Health Service records, Medicare records, and medical records of other federal agencies. HIPAA also applies to these same federal records. So if a federal agency has medical information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA.

You can learn more about the Privacy Act of 1974 from a guide published by the Department of Justice. Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so. Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them just because they may receive federal funds or are tax-exempt. Remember, the Act applies to federal agencies, not federal funds recipients.

SIDEBAR:

The National Institutes of Health -- part of the Department of Health and Human Services -- may be one of the few major health care institutions in the United States not covered by HIPAA. But the Privacy Act of 1974 still applies to the NIH. More at www.nih.gov.

 

 

SIDEBAR

Upcoming changes to HIPAA

This guide reflects the HIPAA health privacy rule as it stood on January 1, 2009. However, in the American Recovery and Reinvestment Act of 2009 (ARRA), Congress enacted a number of provisions of law that will ultimately require changes in the rule. Many of the changes will enhance and extend existing privacy protections modestly.

The rulemaking process will take some time. New rules are likely to appear during the next two years and will take effect at various times. We decided that it would be too confusing for users if we tried to describe the pending changes. Another problem is that the new law has some uncertainties, and we will not really know what the law really means until the Department of Health and Human Services adopts a final rule.

We hope to change this guide as needed when the health privacy rule changes. We don't expect anything to happen before the end of 2009, except possibly for a health record security breach rule. That rule, while important, is not something that this guide would cover because the details are not as important to consumers seeking to explore and exercise their health privacy rights.

Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations are an important set of federal rules for some health records. These rules provide privacy protections for medical records of federally funded substance abuse (alcohol and drug abuse) health care providers.

Rule of thumb:

The alcohol and drug abuse rules contain the strictest privacy protections of just about any law. The rules allow many fewer disclosures than HIPAA, and the restrictions generally follow the records. That is a very unusual but very privacy-protective policy.

The Substance Abuse and Mental Health Services Administration (SAMHSA) administers the alcohol and drug abuse rules. SAMHSA is part of the Department of Health and Human Services. You can find a document that discussed how HIPAA and the substance abuse privacy rule relate. However, there are few other useful privacy materials at the SAMHSA website.

 

Family Educational Rights and Privacy Act

Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide. (See FAQ 9.) In general, FERPA's protections are better than HIPAA in some ways and not as good in others. If you can't wait, you will find joint HHS-Department of Education guidance on student health records at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf. If you have not looked at FERPA recently, you should be aware that the Department of Education updated the FERPA regulation at the end of 2008.

 

Americans with Disabilities Act

The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well. You can learn more about the ADA at the Equal Employment Opportunity Commission's website. www.eeoc.gov/types/ada.html.

 

Genetic Information Nondiscrimination Act (GINA)

The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment. Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination. Most states have similar laws.

Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person's insurance eligibility or coverage. This part of the law goes into effect on May 21, 2009. Title II makes it illegal for employers to use a person's genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law goes into effect on November 21, 2009. For more on GINA, see ghr.nlm.nih.gov. GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful. Others see many loopholes in the GINA protections. See www.aacc.org.

Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). For example, in 2008, the Federal Trade Commission issued Red Flag rules that tell creditors (including some health care providers) what to do to look for cases of identity theft. See www.ftc.gov/opa/2007/10/redflag.shtm and www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. We don't think that these laws are relevant enough to most people to explain here. If you want to know more about the Red Flag rules, see the World Privacy Forum report Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers at www.worldprivacyforum.org/pdf/WPF_RedFlagReport_09242008fs.pdf.

 

Jump to list of FAQs 1-65 | See all of Introduction