Introduction and Purpose (FAQ 3 of 65)
3. What Federal Laws Are Relevant to Health Privacy?
HIPAA is the most important federal health privacy law for almost everybody. Most of this guide explains what you should know about HIPAA. This guide also highlights some other federal laws that may be relevant to health privacy. There are five federal laws beyond HIPAA we think you should know about, each of these touch on privacy slightly differently.
We discuss each of these laws briefly below.
HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 federal statute. Most of this guide focuses on HIPAA. To read more about HIPAA, start with FAQ 4. To get a more complete overview of HIPAA, FAQs 4 through 12 offer a good starting point. Privacy Act of 1974.
An important federal privacy law is the Privacy Act of 1974 www.usdoj.gov/oip/privstat.htm. The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors. It applies to military health records, veterans' records, Indian Health Service records, Medicare records, and medical records of other federal agencies. HIPAA also applies to these same federal records. So if a federal agency has medical information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA.
You can learn more about the Privacy Act of 1974 from a guide published by the Department of Justice. Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so. Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them just because they may receive federal funds or are tax-exempt. Remember, the Act applies to federal agencies, not federal funds recipients.
Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations are an important set of federal rules for some health records. These rules provide privacy protections for medical records of federally funded substance abuse (alcohol and drug abuse) health care providers.
Family Educational Rights and Privacy Act
Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide. (See FAQ 9.) In general, FERPA's protections are better than HIPAA in some ways and not as good in others. If you can't wait, you will find joint HHS-Department of Education guidance on student health records at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf. If you have not looked at FERPA recently, you should be aware that the Department of Education updated the FERPA regulation at the end of 2008.
Americans with Disabilities Act
The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well. You can learn more about the ADA at the Equal Employment Opportunity Commission's website. www.eeoc.gov/types/ada.html.
Genetic Information Nondiscrimination Act (GINA)
The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment. Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination. Most states have similar laws.
Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person's insurance eligibility or coverage. This part of the law goes into effect on May 21, 2009. Title II makes it illegal for employers to use a person's genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law goes into effect on November 21, 2009. For more on GINA, see ghr.nlm.nih.gov. GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful. Others see many loopholes in the GINA protections. See www.aacc.org.
Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). For example, in 2008, the Federal Trade Commission issued Red Flag rules that tell creditors (including some health care providers) what to do to look for cases of identity theft. See www.ftc.gov/opa/2007/10/redflag.shtm and www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. We don't think that these laws are relevant enough to most people to explain here. If you want to know more about the Red Flag rules, see the World Privacy Forum report Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers at www.worldprivacyforum.org/pdf/WPF_RedFlagReport_09242008fs.pdf.