Final Rule for Standards for Privacy of Individually Identifiable Health Information

Analysis by the AHIMA Policy and Government Relations Team 

This entire document is also available as a single PDF (portable document format) file. It is a very large file (86 pages, 520K) and may take sometime to download. 

Amid fanfare that included a presidential address, the Department of Health and Human Services (DHHS), released the final rule [Rule or Privacy Rule] for "Standards for Privacy of Individually Identifiable Health Information" in December 2000. The rule, which has been controversial since its beginnings, is the second administrative simplification regulation to be released as a result of the 1996 Health Insurance Portability and Accountability Act (HIPAA) Public Law 104-191.

AHIMA's analysis will cover the rule itself, any expected effects on health information management (HIM), and resources for further information, training, and implementation. HIM professionals should note that the rule contains both procedural and "legal" requirements and has a compliance date two years after its effective date. The rule is also substantially different than that proposed by DHHS in November 1999. Given the controversy and attention this rule continues to receive, it is very possible that there could be changes to the rule before it is actually implemented. While it would not be prudent to wait to begin implementing this Rule readers are encouraged to regularly monitor AHIMA's Web site for any developments, changes, delays, or additions that might occur over the next few years. AHIMA will continue to keep you posted.

While this analysis highlights much of the 367 pages in the final rule, it is not a substitute for a close review of the entire rule. The rule was written by a large group of federal staff members with both complementary and contrasting styles. Many parts of the Rule are very detailed and somewhat confusing. This analysis attempts to provide a nonlegal perspective on such language. There are points within the Rule where this analysis drops or ignores a section because it essentially says: "The rule is to obey the Rule." On the other hand, where appropriate, this analysis contains the exact wording of the Rule in quotations, because the language is what will be used to hold a covered entity accountable.

The actual rule itself is only 31 pages long, but given the detail and legal aspects of the regulation, it will be important to review all sections closely. The final rule was published essentially in four sections:

  • Pages 65FR82462-82565 cover background, history, and a section-by-section review of the proposed and final rule. The review assists with specific detail, on any single section of the final rule.

  • Pages 65FR82565-82758 cover general comments, section-by-section. Here the discussion responds to more than 50,000 commentaries (grouped). For this particular Rule, this section is well worth your reading time and also provides details that explain the "why" behind some of the final Rule's sections.

  • Pages 65FR82758-82798 cover the final regulatory impact analysis. The Secretary of the Department of Health and Human Services (Secretary) is suggesting that the overall costs of implementation will cost the healthcare1 industry $17.6 billion dollars over ten years. This section will create significant discussion in the months to come. You will have to decide if you agree with the amounts in question, but this section does provide some thinking about what activities must be implemented over the next several years.

  • Pages 65FR82798-82829 cover the final Rule language. Our commentary is primarily based on this section. The language and content constitutes what covered entities must comply with.

This analysis includes:

Information Regarding the Rule Publication

Titled "Standards for Privacy of Individually Identifiable Health Information," the Rule can be found in the Federal Register, Vol. 65, No. 250, Pages 82462-82829, published on Thursday, December 28, 2000. Two companion notices were published in the Federal Register:

  • Tuesday, December 26, 2000-Executive Order 13181 "To Protect the Privacy of Protected Health Information in Oversight Investigations" (65FR81321)2 and
  • Friday, December 29, 2000-"Technical Corrections to the Standards for Privacy of Individually Identifiable Health Information Published December 28, 2000" (65FR82944).

Copies of the Federal Register can be purchased individually from the Superintendent of Documents. However, it will take several weeks to receive a copy3  A much easier way to obtain a copy is to access the Federal Register and Government Printing Office Web site at Downloading the Rule requires the use of Adobe Acrobat Software, which is available for free at the GPO Web Site. The software is safe to download and use. Access to the Rule will also be available at other Web sites listed in the "resource" section of this analysis.

Similar access to the two companion documents can be found at: for the Executive Order and for the Technical Corrections.

Effective Dates

While this final Rule was published on December 28, 2000, it's effective date, originally posted as February 26, 2001, now stands as April 14, 2001. The change in dates was due to a technical error made by DHHS that was not corrected until mid-February. Congress could technically rescind or change the legislation sustaining the Rule. While there has been much debate on the Rule, it does not appear that the effective date will be changed at this writing.

Presuming that the Rule's effective date is not delayed, the implementation dates, or "compliance by" dates will be (§164.534) April 14, 2003 for all covered entities except those designated as "small health plans,"4 whose "compliance by" date will be February 26, 2004.

Go to What the Rules Cover: Application to Specific Entities.