Getting 'Hip' to Other Privacy Laws: Part 2

by Julie A. Roth, MHSA, JD, RHIA

The HIPAA privacy rule is just one of several federal laws that protect the privacy of non-public information. But privacy is not a new concept in healthcare. Healthcare workers have long protected medical information under a varety of state and federal laws, accreditation standards, and rules of ethical conduct.

Generally, covered entities must continue to meet these standards when they provide greater privacy protections than HIPAA. This article highlights some federal healthcare laws that coexist with the HIPAA privacy rule to protect the confidentiality of patient information.

Protection of Human Subjects

The Federal Policy for the Protection of Human Subjects (common rule) protects the rights and privacy of human research subjects. With certain exceptions, it applies to entities conducting research supported or regulated by federal agencies. Human subjects research is conducted when a living individual’s identifiable private information is used to contribute to generalizable knowledge.

An institutional review board (IRB) must approve human subjects research projects and clinical investigations. As part of this process, an IRB requires the existence of adequate protections for the privacy of subjects and the confidentiality of data, proportionate to the privacy risks. An informed consent describing how the confidentiality of identifiable records will be maintained must be sought from each subject. Under certain circumstances, such as when the only record linking the subject to the research would be the consent form itself, an IRB may waive the informed consent requirement. If research is being conducted by a covered entity under the HIPAA privacy rule, it must adhere to additional requirements for using and disclosing research subjects’ protected health information.

A research institution may request a certificate of confidentiality (COC) from the National Institutes of Health whenever an IRB-approved research project involves the collection of personally identifiable sensitive information (such as genetic data). If granted, a COC allows an institution to refuse to make “involuntary disclosures” of identifying information about research subjects in response to subpoenas, court orders, and other legal mandates. Certain “voluntary” disclosures are permitted when necessary for maintaining public health, provided the informed consent contains a statement to this effect. Disclosures may also be made for program evaluations, audits, and in response to a sub-ject’s written consent.

Confidentiality of Alcohol and Drug Abuse Patient Records

The Confidentiality of Alcohol and Drug Abuse Patient Records rule has protected the privacy of patients treated in federally assisted alcohol and drug abuse programs since 1987. Programs are providers or facilities that provide alcohol or drug abuse care. Federal assistance is broadly defined and includes certification of provider status under the Medicare program or registration to dispense federally controlled substances.

At the time of admission, a program must inform a patient that his or her records are legally protected and give the patient a written summary of those protections. A program cannot acknowledge a patient’s presence without written consent or a court order. Internal access to records must be appropriately limited, and a patient’s written consent is required prior to disclosing records to third parties. Recipients must be notified in writing that they may not re-disclose the records without the patient’s written consent and that the law restricts use of the records in criminal matters. Whenever a request for patient information must be denied, the denial cannot affirmatively reveal that a patient is connected with drug or alcohol abuse.

In certain situations, a program may disclose patient information without written consent. Governmental agencies and private third-party payers may use patient records to conduct on-site audit and evaluation activities. If records are removed, the recipient must agree in writing to certain confidentiality protections.

Patient information may be used for research purposes provided that specific confidentiality protections are in place. The human subjects laws and the HIPAA privacy rule may apply as well. Patient information may also be disclosed in response to a valid subpoena accompanied by an authorizing court order.

Other Privacy Protections

To participate in the Medicare and Medicaid programs, providers must meet Conditions of Participation standards designed to ensure that program beneficiaries receive quality care. Numerous standards grant patients’ control over their medical information and require providers to safeguard patient confidentiality. Hospitals must have procedures in place to protect clinical records from unauthorized access or alteration and may only release original records as permitted by law. Patients have a right of access to their own records within a reasonable time.

In hospice and home health settings, similar procedures for safeguarding the confidentiality of clinical records are required. Home health patients must be advised on how clinical records are disclosed and must consent in writing to disclosures not otherwise permitted by law. Nursing facility residents also have the right to the confidentiality of their clinical records and may generally approve or deny the release of records. However, records may be released to a healthcare institution where a resident is being transferred or as required by law.

The Clinical Laboratory Improvement laws govern the certification of laboratories conducting human specimen testing. Under these laws, laboratories may generally use patient information as necessary to carry out testing and quality improvement activities, provided confidentiality protections are in place. Specimens and reports must positively identify the patient throughout the testing process and be accessible in a timely manner.

Test results may be released to individuals authorized under state law to order or receive results, the laboratory requesting the test, and the individual responsible for using the test results. If an error occurs in reporting process or test results indicate critical or “panic” values, the laboratory must immediately alert the individual or entity requesting the test or the individual using the test results.

Although the four privacy laws addressed in this article may not be as well known, their impact on patient care is significant. By becoming more familiar with some of the lesser-known laws, we can all become more knowledgeable about privacy’s important place in healthcare. ❖

Privacy at a Glance


Protection of Human Subjects
(45 CFR Part 46)
Confidentiality of Alcohol and Drug Abuse Patient Records
(42 CFR Part 2)
Conditions of Participation
(42 CFR Part 418, 482, 484)
Standards & Certification
(42 CFR Part 483)
Clinical Laboratory Improvements
(42 CFR Part 493)
Applies to • Institutions con-ducting federally supported human subjects research • Federally assisted drug and alcohol abuse programs

• Medicare and Medicaid certified providers

• Laboratories performing testing on human speci-mens for diagnosis or treatment
Protected Information • Identifiable private information • Patient identify-ing information • Personal and clinical records • Not specified
• Infer individually identi-fiable patient information
Protected Persons • Human subjects • Patients diagnosed, treated or referred by federally assisted programs • Medicare and Medicaid beneficiaries

• Persons whose specimens are submitted to laboratories

Privacy Notice • Informed consent document • Provide summary of protections at admission or patient's capacity
• Sample notice in regulations
• Nursing facilities--notice of rights and services in-cludes privacy information
• Home health--must advise patient of policies and procedures regarding disclosure

Uses and Disclosures with Consent • Informed consent required prior to using identifiable private information
• Additional HIPAA privacy rule requirements may apply
• Disclosures not otherwise permit-ted require written consent
• Include prohibi-tion of redisclosure notice
• Hospitals--must release only to authorized individuals
• Nursing facilities--residents may approve release of records
• Home health--written con-sent required when disclo-sure not legally authorized
• Not specifically addressed
• Disclosures limited to "authorized persons" or individual responsible for using test results
Uses and Disclosures without Consent • IRB may waive informed consent requirement
• Additional HIPAA privacy rule requirements may apply
• Medical emergencies
• Research activities
• Audits and evaluations
• Subpoenas with authorizing court orders
• Hospitals--as permitted or required by law
• Nursing facilities--as required by law to providers where patient is transferred
• Not specifically addressed
• Must report panic values to individuals who ordered or use test results
Safeguarding Information • IRB requires confidentiality protections • Must keep records secure
• Procedures regulating access
• Hospitals--access and alteration procedures
• Hospice and home health--safeguard clinical records against loss, destruction, and unauthorized use
• Confidentiality must be protected in all phases of the testing process


David Roth

Julie Roth ( is clinical assistant professor at the University of Kansas Medical Center School of Allied Health, Department of Health Information Management.

Article citation:
Roth, Julie A. "Getting "Hip" to Other Privacy Laws. Part 2." Journal of AHIMA 75, no.3 (March 2004): 48-50.