Either Congress or President Bush could reverse these rules with a new regulation. Given that Congress could not agree on a set of rules within the 3-year period provided by HIPAA, it is unlikely that they would be able to agree on specific changes or a new set of rules. President Bush has not expressed any reservations about these standards. Further, his campaign platform promised rules to protect the privacy of medical information. Administration advisers, however, stated that they would want to review the details of these standards, particularly the benefits, costs, and burdens. Because these rules have such a far-reaching effect and place new burdens and duties on health care providers, it is important to become familiar with, understand, and consider them as a first step toward compliance.

The new federal standards for privacy of individual health information, along with the comments and the financial impact analysis, are >1000 pages in length. A detailed discussion of any of the areas could take up more space than is provided here. The goal of this article is to assist in the familiarization process. This article highlights the main provisions that affect health care providers and their relationships with patients and focuses on what are perceived to be the more commonly applicable provisions. Some further exceptions and provisions may exist. If readers have interest in a detailed exploration of certain areas, these can be addressed in future articles.

WHO IS REGULATED

These privacy guidelines apply to health care providers, health plans, and health care clearing houses (1). As defined in the statute, a health care provider provides preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service, assessment, or procedures with respect to physical or mental conditions. This definition also covers individuals who are involved in the sale or dispensing of a drug, device, or other item by prescription (2). Additionally, to be a health care provider under these rules, the entity must transmit health information in the form of a HIPAA transaction (3). HIPAA transactions include electronic filing of health claims; health claim attachments; plan eligibility, enrollment, and disenrollment information; health care payment and remittance advice; health plan premium payments; reports of injury; health claim status reports; and referral certification and authorization (4). Given the current technology used by health care providers, most providers already conduct HIPAA transactions and will be subject to these regulations.

Entities not covered by these regulations are workers compensation programs, as well as life, property, and casualty insurers (5). In the press release on publication of these rules, HHS urged Congress to take further measures to fill these gaps, since the regulations did not fully achieve the Clinton administration's goal of a “seamless” system of privacy protection (6).

WHAT IS COVERED AND HOW

These rules protect any information, whether oral, written, or electronic, that is created by health care providers or other entities and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or payments made for the provision of health care to an individual (7). Additionally, these rules specifically pertain to and cover information on deceased patients (7). Thus, the rights to privacy guaranteed by these regulations continue after the patient's death.

Areas of these rules that will be of particular interest to health care providers include the following:

1. The uses/disclosures of medical information
2. Consent, or the use of information to carry out treatment, payment, or health care operations
3. Authorizations, or other uses of medical information
4. Patients' rights with respect to their medical information
5. Notice that is required to be given to patients about these rights
6. Administrative requirements that will be placed on health care providers
7. Enforcement of these provisions

Key points in each of these areas are summarized below.

The general rule is that protected health information may not be used or disclosed except as provided for by the regulation (8). The rules discuss permitted disclosures and required disclosures. Health care providers are permitted to disclose health information in the following situations:

1. To the patient
2. Pursuant to the parameters of an appropriate consent in order to carry out treatment, payment, or health care operations
3. Without consent, if consent is not required and has not been sought, in order to carry out treatment, payment, or health care operations (9)

“Health care operations” are defined to include matters such as quality assessment, credentialing, underwriting, review and auditing, and business planning and management functions (7).

Health care providers are required to disclose medical information in 3 situations:

1. When the individual requests this information under his or her right of access
2. When a patient requests an accounting of who has been provided with his or her information
3. When disclosure to the secretary of HHS is indicated (10)

The provisions regarding patient access and accounting are discussed below. Disclosure to HHS can be compelled by the compliance and enforcement provisions of these rules (11). When a health care provider uses or discloses protected health information or requests such information from another covered entity, reasonable efforts must be made to limit the information produced to the minimum necessary to accomplish the intended purpose (12). This “minimum necessary” standard does not apply to disclosures or requests by health care providers for treatment or disclosures required by law (13). Disclosures required by law are also discussed below.

Consent

Under these rules, a health care provider must obtain an individual's consent before using or disclosing protected health information to carry out treatment, payment, or health care operations (14). This consent must be documented on a form distinct from the notice that explains the privacy practices of the health care provider (15). The consent must be written in plain language and must fulfill all of the following requirements:

1. Inform the patient that the protected health information may be used and disclosed to carry out treatment, payment, or health care operations
2. Refer the patient to the notice required by these regulations (which is discussed below) for a more complete description of anticipated uses and disclosures and advise the patient of the right to review this notice before signing the consent
3. State the terms and how the patient may obtain a revised notice of new privacy practices
4. Advise the patient of the right to request restrictions on the use of protected health information, explaining that the entity is not required to agree to these restrictions, but if it does so, the restriction is binding
5. Inform the patient of his or her right to revoke the consent in writing except to the extent that the covered entity has taken action and already relied on the consent
6. Be signed by the patient and dated (16)

While the consent may not be on the same form as the notice, the consent for use or disclosure of medical information may be combined on a form with other types of legal permission obtained from the patient, such as informed consent for treatment or consent to the assignment of benefits (17). If this consent for use of health information is combined with these other consents, this disclosure consent must be visually separate from any other written legal permission. Further, it must be separately signed and dated (17).

Despite these consent requirements, there are certain circumstances in which a covered health care provider may, without patient consent, use or disclose protected health information to carry out treatment, payment, or health care operations. These circumstances exist when the health care provider

1. Has an indirect treatment relationship (7) with the patient, such as serving as a consultant
2. Created or received the information in the course of providing care to an individual who is an inmate
3. Is in an emergency situation, if the health care provider attempts to obtain consent as soon as reasonably practical after delivery of the treatment
4. Is required by law to treat the individual, but attempts to obtain consent have been unsuccessful (18)

Authorization

A patient authorization is required if protected health information is disclosed for purposes other than treatment, payment, or health care operations (19). It is important to note that the terms authorization and consent are terms of art under these rules. Consent is something that is obtained from the patient in order to use the medical information for treatment, payment, or health care operations. A patient's agreement for use of this knowledge in other circumstances is authorization. Except as in the situations discussed below, protected health information may not be used or disclosed for purposes other than treatment, payment, or health care operations without an authorization (19). Additionally, an authorization is required for any use or disclosure of psychotherapy notes, except in certain limited situations provided for by the regulations (20).

A valid authorization must contain the following:

1. A specific and meaningful description of the information to be used or disclosed
2. The name or other specific identification of the person authorized to make the requested use or disclosure
3. The name or other specific identification of the person who may receive the requested disclosure
4. An expiration date or event
5. A statement of the patient's right to revoke the authorization in writing, along with exceptions to this right and a description of how the individual may revoke the authorization
6. A statement that the information used or disclosed may be subject to redisclosure by the recipient and would then no longer be protected
7. Signature of the patient and date or, if the authorization is signed by a personal representative, a description of the representative's authority to act for the individual (21)

Disclosure may occur without consent or an authorization when it is required by law and the disclosure complies with and is limited to these legal requirements. These circumstances include the following:

1. Public health activities
2. Treatment of victims of abuse, neglect, or domestic violence
3. Health oversight committees
4. Judicial and administrative proceedings
5. Law enforcement focuses
6. Information about decedents to coroners and funeral directors
7. Disclosures for cadaveric organ, eye, or tissue donation purposes
8. Research purposes
9. To avert serious threat to health or safety
10. For specialized governmental functions that generally pertain to military personnel
11. Disclosures for workers compensation programs (22)

One of the most common disclosures required by law is when a request for a health care provider's records is made in connection with litigation proceedings. In this situation, the health care provider may disclose information in response to a subpoena, discovery request, or “other lawful process” (23). The health care provider, however, must receive “satisfactory assurance” that the individual who is the subject of the request has been given notice of the request or has had an opportunity to obtain a protective order (24). So long as the request is accompanied by information that establishes that the parties to the litigation, including the legal representative of the patient whose records are being requested, have been provided with notice of this request, it would appear that the “satisfactory assurance” requirement has been met.

NOTICE OF PRACTICES AND PATIENT RIGHTS

As part of the privacy scheme provided for in these regulations, the health care provider must disclose its privacy practices to patients. This is contained in “notice” given to the patient (25). Generally, the notice must advise patients of their rights related to the use and disclosure of their health information and the health care provider's legal duties with respect to maintaining privacy of this health information (26). Certain exceptions exist for individuals enrolled in group health plans and for prison inmates (27).

The notice must be written in plain language and contain a header or prominently displayed statement, “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully” (28). With respect to the uses and disclosures of medical information, the notice must contain the following:

1. A description, with at least one example, of the types of uses and disclosures that the health care provider is permitted to make for treatment, payment, and health care operations
2. A description of each of the other purposes for which the health care provider is permitted or required to use or disclose protected health information without the patient's consent or authorization
3. A statement that any other uses and disclosures will be made only with the patient's written authorization and that the authorization may be revoked (29)

A health care provider may intend to contact a patient to provide appointment reminders or information about treatment alternatives or other health-related benefits and services; to contact the individual to raise funds; or to allow a group health plan, health insurance issuer, or HMO to disclose protected health information to the sponsor of the plan. When these things are intended, they must be disclosed and described in the notice (30).

Additionally, the notice must contain the statement of the patient's rights and a description of how the patient may exercise those rights. Specifically, the notice must advise the patient of his or her right to do any of the following:

1. Request restrictions on certain uses and disclosures of information
2. Inspect and copy health information
3. Amend protected health information
4. Receive an accounting of disclosures of health information
5. Obtain a paper copy of the notice upon request (31)

The notice must also contain a recitation of the covered entity's duties. Specifically, it must state the following:

1. That the health care provider is required by law to maintain the privacy of protected health information and to provide patients with notice of its legal duties and privacy practices
2. That the health care provider is required to abide by the terms of the notice currently in effect
3. That if the health care provider changes its privacy practices, it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide patients with a revised notice of its practices.
4. That patients may complain to the health care provider or to the secretary of HHS if they believe their rights have been violated. The notice must describe how a complaint may be filed and state that the patient will not be retaliated against for filing a complaint.
5. The name or title and telephone number of the person or office to contact for further information and the date on which the notice is first in effect (32)

The regulation also indicates where the notice should be published and how the patient can obtain access to the notice (33).

As discussed above, the notice advises patients of a number of rights they have been granted under these regulations. The key patient rights at issue are the ability to request restrictions on the use of their information, to access their information, to amend their information, and to request an accounting of disclosures of their information.

Right to request restriction

The patient has the right to request a restriction on uses and disclosures of information permitted by the rules. The health care provider, however, is not required to agree to requested restrictions. If the provider agrees to any requested restriction, the provider must abide by that restriction except in emergency situations. The statute also provides for circumstances in which an agreed restriction may be terminated and requires that any agreement to a restriction be documented (34).

Right to access to records

Patients also have a general right of access to inspect and obtain a copy of their medical records (35). Exceptions exist with respect to psychotherapy notes; information compiled in anticipation of or for use in a civil, criminal, or administrative action or proceeding; or protected health information that is exempted under provisions of Clinical Laboratory Improvement Amendments (CLIA) (36).

A health care provider may require individuals to make requests for access to their records in writing, so long as it informs those individuals of this requirement (37). While not specifically discussed in the statute, the presumption would be that if this is to be a requirement, it should be set forth in the notice about privacy practices discussed above. When a request for records is made, the covered entity must act on the patient's request no later than 30 days after receipt of the request. If access is granted, it must provide the access that is requested in the form requested. It must also provide the information in a timely manner (38). If a copy of the materials is requested, the health care provider may charge a reasonable, cost-based fee that includes only the cost of postage and the supplies and labor for the copying (39).

If a request is denied in any respect, the individual must be provided with a written denial. This denial must be timely (as set forth above), state the basis of the denial, and indicate the individual's review rights. This statement must advise how the individual may exercise those rights and describe how the individual may complain to the secretary of HHS. The denial must also make other responsive information accessible to the extent possible (40).

Denial of access to medical records can be reviewed in the following 3 circumstances:

1. When the licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person
2. When the protected health information makes reference to another person (unless such other person is a health care provider), and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person
3. When the request for access is made by the individual's personal representative, and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person (41)

There are 5 situations in which there is no right of review for denying access to records:

1. The provisions discussed above regarding psychotherapy notes, information for judicial or administrative proceedings, or CLIA information
2. When the health care provider is acting under the direction of a correctional institution and an inmate requests a copy of the information that could jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates or the safety of any officer, employee, or other person at the correctional institution or involved in transporting of the inmate
3. When the protected information was created or obtained in the course of research that includes treatment that may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research and that the health care provider has informed the individual that the right of access will be reinstated upon completion of the research
4. When the individual's access to the information is denied by the Privacy Act, as set forth in 5 USC ?552a
5. When the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information (42)

If the denial is reviewable, the patient has a right to have the denial reviewed by a licensed health care professional designated by the health care provider in question to act as a reviewing official, as long as this individual did not participate in the original decision to deny access to the records. If a review is requested, the matter must be promptly referred for review to this designated reviewing official. This individual must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards discussed above. The health care provider must then promptly provide written notice to the individual of the reviewing individual's determination and act upon the reviewing individual's determination (43). Further, the titles of the persons or offices responsible for receiving, processing, and reviewing these requests must be documented (44).

Right to amend records

One of the unique provisions of these new regulations is a patient's right to have his or her health information amended. These regulations allow an individual to request such amendments from a health care provider for as long as that provider maintains the health information (45). The health care provider must permit an individual to request amendments of their records. Additionally, the health care provider may require individuals to make requests for an amendment in writing and to provide the health care provider with a reason to support amendment, if the patient is advised in advance of this requirement (46). Again, while the statute is silent, one would presume that this provision should be contained in the notice of privacy practices that the patient receives initially.

When a request for amendment is made, it must be acted on no later than 60 days after receipt of the patient's request. If the request cannot be acted on within 60 days, a 30-day extension may be obtained, provided that the patient is informed in writing of the reasons for the delay and the date by which the entity will complete action on the request. Only one such extension is allowed (47).

If the request for amendment is accepted, the appropriate amendment must be made in the records and must identify the records that are affected by the amendment and append or otherwise provide a link from those records to the amendment. Additionally, the provider must inform the patient that the amendment is accepted and obtain information from the patient to identify persons to whom this information should be forwarded. These persons must be advised of the amendment within a reasonable time of the amendment. The persons who must be informed include individuals identified by the patient as having received information that needs amendment and other persons, including the health care provider's business associates (47), who have information that is the subject of the amendment and that might be relied on to the detriment of the individual in the future (48).

A patient's request for amendment can be denied if the health care provider determines that

1. It did not create the information in question
2. The information is not part of its records
3. The information requested would not be available for inspection by others, or
4. That the information in question is accurate and complete (49)

When a request for amendment is denied, the patient must be advised in writing of the basis for the denial. The denial should indicate that the patient may submit a written statement of disagreement, should describe how this statement may be filed, and should explain that if the patient does not submit a statement of disagreement, he or she may request that the entity provide a copy of the request for amendment and the denial of such request with any future disclosure of information that is the subject of the amendment. Further, the denial should contain a description about how the individual may complain to the health care provider or the secretary of HHS about the request being denied (50).

The patient must be permitted to submit a written statement disagreeing with the denial and the basis of such disagreement where the request for amendment is denied. This statement may be limited to a reasonable length. Additionally, the health care provider may prepare a written rebuttal to the statement of disagreement. If a rebuttal is prepared, a copy must be provided to the patient (51).

Lastly, when a health care provider is informed by another entity covered by these regulations that there has been an amendment to an individual's health information, that health care provider must so amend its records on that individual (52).

Right to accounting of disclosures

Patients are entitled to an accounting of disclosures from their health care providers (53). When an accounting is requested, the accounting must include disclosures of protected health information that occurred during the 6 years prior to the date of the request (53). For each disclosure, the patient must be advised of the following information:

1. The date of disclosure
2. The name of the entity or person who received the protected information and, if known, the address of such entity or person
3. A brief description of the information disclosed
4. A brief statement of the purpose or basis of the disclosure (54)

Documentation of the information required to be included in an accounting must be retained, as well as the written accounting that is provided pursuant to the individual's request (55).

Some exceptions to the accounting exist: a health care provider is not required to account for disclosures for treatment, payment, and health care operations or for disclosures that occurred prior to the compliance date (56). When an individual requests an accounting, the health care provider must provide, no longer than 60 days after receipt of such request, the accounting requested or a statement that a 30-day extension is needed. If an extension is sought, there must be a written statement provided to the patient regarding the reasons for delay and the date by which the requested accounting will be provided. As with the extensions on other requests for information in these provisions, only one such extension is allowed (57).

The first request by a patient for an accounting in any 12-month period must be provided without charge. If there are subsequent requests for accounting by the same individual within a 12-month period, the health care provider can charge a reasonable cost-based fee for each subsequent accounting provided that the individual is informed in advance of the fee and that the individual is given an opportunity to withdraw or modify the request for subsequent accounting in order to avoid or reduce the fee (58).

DUTIES OF HEALTH CARE PROVIDERS

In addition to the rights and provisions discussed above, the regulation also imposes administrative requirements on health care providers to assist in ensuring compliance and allowing the exercise of these rights. First, policies and procedures must be implemented and maintained in written or electronic form (59). These policies must be designed to comply with the statutory requirements and to ensure compliance with the statutory guidelines (59). The policies must contain sanctions for use against employees when they fail to comply with policies and procedures for maintaining the privacy of records. There must also be documentation that these sanctions are applied when violations occur (60). Policies must be updated if changed and be changed promptly if the law changes, and patients must be notified in the notice of any such changes (61). Documentation must be maintained for 6 years from the date of creation or the last date of effectiveness. The health care provider must also designate a privacy official responsible for developing and implementing these policies and procedures. Additionally, as discussed above, a contact person must be designated for receiving complaints about policies and procedures (62).

The regulation also requires that all members of an office's workforce be trained on the policies and procedures as necessary and appropriate for them to carry out their functions. This training must initially be completed no later than the compliance date. Thereafter, new members of the workforce must be trained within a reasonable period of time after their employment. Further, this training must be documented and this documentation must be maintained for 6 years, as discussed above (63).

ENFORCEMENT

The secretary of HHS is charged with ultimate enforcement responsibility for these rules. To ensure compliance, the secretary may conduct compliance reviews to determine whether the applicable standards and requirements have been implemented and are being followed (64). HSS may also act on individual complaints. If an individual believes that a covered health care provider is not complying, he or she has the right to file a complaint with the secretary of HHS (65). Additional rules are to be published regarding specific enforcement provisions and punishment. These will appear in the Federal Register. There is, however, no private cause of action against a health care provider by an individual for violation of these regulations (6). That is to say, an individual person could not bring suit against a health care provider for violating any of these provisions. At the time these regulations were enacted, both President Clinton and the secretary of HHS emphasized this point and the need for further regulation to provide statutory authority for a private right of action for individuals to enforce their privacy rights (6). Such a right would apparently require an entirely new regulation, since it would exceed the authority granted by HIPAA.

Currently, violations can trigger only civil and criminal penalties following prosecution by the secretary of HHS. Violators who unintentionally disclose information face civil fines of $100 per violation, up to a total of $25,000 per year. Those who intentionally disclose information face criminal sanctions of up to $50,000 and 1 year in prison. An intent to sell such information is punishable by up to $250,000 in criminal sanctions and 10 years in prison (66). In the comments to these regulations and in response to concerns about potential violations despite good faith attempts at compliance, the secretary stated that the initial intention in policing covered entities for violations would be to ensure compliance and not to extract punitive, monetary sanctions (67).

CONCLUSION

It is evident that these new provisions are not only broad and somewhat novel in nature but are extremely detailed and specific in setting forth the conduct that is necessary and acceptable under the regulations. Many regulations go deeper than what I have been able to highlight here. Another area not discussed requires health care providers to rewrite contracts with business partners, such as attorneys, auditors, and consultants who receive protected health information, to ensure that they adhere to the privacy rules. Health care providers can be held responsible for violations by these business partners, but only if they knew about them. Otherwise, violations by these individuals will not give rise to the sanctions discussed above (68).

While there is a chance that President Bush or Congress could strike down or do away with this regulation, nothing to date shows a willingness by either to do so. In fact, while the Bush administration did take action to delay by 60 days the effective date of regulations published during the last weeks of Clinton's presidency, the conclusion was that these rules would likely not be affected (69). Regardless, now is the time to consider the steps that need to be taken to comply with these regulations. The year 2003 will be upon us quickly.

1. Standards for privacy of individually identifiable health information. 65 Federal Register 82461 (2000) (to be codified at 45 CFR ?160.102[a]).
2. Ibid. (to be codified at 45 CFR ?160.103).
3. Ibid. (to be codified at 45 CFR ??160.102[a][3], 164.104).
4. 42 USC ?1320d-2(a)(2) (Vernon's Supp. 2000).
5. US Department of Health and Human Services. HHS announces final regulation establishing first-ever national standards to protect patients' personal medical records. HHS News, December 20, 2000.
6. US Department of Health and Human Services. Protecting the privacy of patients' health information, summary of the final regulation. HHS Fact Sheet, December 20, 2000.
7. 65 Federal Register 82461 (2000) (to be codified at 45 CFR ?164.501).
8. Ibid. (to be codified at 45 CFR ?164.502[a]).
9. Ibid. (to be codified at 45 CFR ?164.502[a][1]).
10. Ibid. (to be codified at 45 CFR ?164.502[a][2]).
11. Ibid. (to be codified at 45 CFR ??160.306, 160.308, 160.310, 164.502[a][2][ii]).
12. Ibid. (to be codified at 45 CFR ?164.502[b][1]).
13. Ibid. (to be codified at 45 CFR ?164.502[b][2]).
14. Ibid. (to be codified at 45 CFR ?164.506[a][1]).
15. Ibid. (to be codified at 45 CFR ?164.506[b][3]).
16. Ibid. (to be codified at 45 CFR ?164.506[c]).
17. Ibid. (to be codified at 45 CFR ?164.506[b][4]).
18. Ibid. (to be codified at 45 CFR ??164.506[a][2], [3]).
19. Ibid. (to be codified at 45 CFR ?164.508[a]).
20. Ibid. (to be codified at 45 CFR ?164.508[a][2]).
21. Ibid. (to be codified at 45 CFR ?164.508[b][1]).
22. Ibid. (to be codified at 45 CFR ?164.512).
23. Ibid. (to be codified at 45 CFR ?164.512[e][1]).
24. Ibid. (to be codified at 45 CFR ?164.512[e][1][ii]).
25. Ibid. (to be codified at 45 CFR ?164.520[a]).
26. Ibid. (to be codified at 45 CFR ??164.522, 164.524, 164.526, 164.528).
27. Ibid. (to be codified at 45 CFR ??164.520[a][2], [3]).
28. Ibid. (to be codified at 45 CFR ?164.520[b][1][i]).
29. Ibid. (to be codified at 45 CFR ?164.520[b][1][ii]).
30. Ibid. (to be codified at 45 CFR ?164.520[b][1][iii]).
31. Ibid. (to be codified at 45 CFR ?164.520[b][1][iv]).
32. Ibid. (to be codified at 45 CFR ?164.520[b][1][v]).
33. Ibid. (to be codified at 45 CFR ?164.520[c]).
34. Ibid. (to be codified at 45 CFR ?164.522[a]).
35. Ibid. (to be codified at 45 CFR ?164.524[a][1]).
36. Ibid. (to be codified at 45 CFR ??164.524[a][i], [ii], [iii]).
37. Ibid. (to be codified at 45 CFR ?164.524[b][1]).
38. Ibid. (to be codified at 45 CFR ?164.524[b][2]).
39. Ibid. (to be codified at 45 CFR ?164.524[c][4]).
40. Ibid. (to be codified at 45 CFR ?164.524[d]).
41. Ibid. (to be codified at 45 CFR ?164.524[a][3]).
42. Ibid. (to be codified at 45 CFR ?164.524[a][2]).
43. Ibid. (to be codified at 45 CFR ?164.524[a][3], [4]).
44. Ibid. (to be codified at 45 CFR ??164.524[a][4], [e]).
45. Ibid. (to be codified at 45 CFR ?164.526[a][1]).
46. Ibid. (to be codified at 45 CFR ?164.526[b][1]).
47. Ibid. (to be codified at 45 CFR ?164.526[b][2]).
48. Ibid. (to be codified at 45 CFR ??164.526[c], [e]).
49. Ibid. (to be codified at 45 CFR ?164.526[a][2]).
50. Ibid. (to be codified at 45 CFR ?164.526[d]).
51. Ibid. (to be codified at 45 CFR ??164.526(d)[2], [3]).
52. Ibid. (to be codified at 45 CFR ?164.526[e]).
53. Ibid. (to be codified at 45 CFR ?164.528[a][1]).
54. Ibid. (to be codified at 45 CFR ?164.528[b][2]).
55. Ibid. (to be codified at 45 CFR ?164.528[d]).
56. Ibid. (to be codified at 45 CFR ?164.528[a][1][i]).
57. Ibid. (to be codified at 45 CFR ?164.528[c][1]).
58. Ibid. (to be codified at 45 CFR ?164.528[c][2]).
59. Ibid. (to be codified at 45 CFR ?164.530[i][1]).
60. Ibid. (to be codified at 45 CFR ?164.530[e]).
61. Ibid. (to be codified at 45 CFR ?164.530[i][2]).
62. Ibid. (to be codified at 45 CFR ?164.530[a][1]).
63. Ibid. (to be codified at 45 CFR ?164.530[b]).
64. Ibid. (to be codified at 45 CFR ??160.306, 160.308, 160.312).
65. Ibid. (to be codified at 45 CFR ?164.306[a]).
66. President Clinton issues strong new consumer protections to ensure the privacy of medical records [press release]. Washington, DC: The White House, December 20, 2000.
67. 65 Federal Register 82461 (2000) (Discussion of Comments).
68. Associated Press. Health privacy rules to be issued. December 20, 2000.
69. American Health Lawyers Association. Health Law Highlights 2001;3(4).