The Privacy Rule does not protect all forms of health information - only health information that is "individually identifiable." In other words, it protects health information from which an individual can be identified, but only if that information is in the hands of a covered entity. Generally, health information held in a group health plan's records will be protected.

• It is created or received by a provider, health plan, employer, or health care clearinghouse.
• It relates to the physical or mental health or condition of an individual, at any time, past, present or future (and includes information related to payment of health benefits).
• It identifies an individual or can be used to identify the individual.
• It is in the possession or control of a covered entity (including a group health plan). [45 CFR §§ 160.103 (definition of "health information"); 164.501 (definitions of "individually identifiable information" and "protected health information").]

Compliance Tip: This definition encompasses health information in all forms - electronic, written, oral, or any other medium. [45 CFR § 164.501(definition of "protected health information"); 65 Fed. Reg. 82496.]

"Protected health information" is the health information described above and is subject to the Privacy Rule's protections.

Possibly. The Privacy Rule does not preempt all state privacy laws. State privacy laws that are "more stringent" are preserved. That is, a state privacy law that provides more privacy protections or greater individual rights than provided by the federal Privacy Rule will apply, unless that law is otherwise preempted by a different federal law, such as ERISA. Generally, state laws preempted by ERISA will remain preempted. [45 CFR § 160.203; 65 Fed. Reg. 82483.]

Accordingly, employers must determine whether and to what extent they must follow state law (including decisional law as well as statutes and regulations). This task may be particularly complicated for employers with employees in more than one state. A detailed discussion of the preemption issues raised by the Privacy Rule is beyond the scope of this Workbook. Employers might wish to consult with legal counsel to determine applicable state privacy laws.

Generally, nothing in HIPAA, or the Administrative Simplification Rules, exempt an employer from complying with other federal laws (e.g., ERISA, ADA, FMLA) under the general rules of precedence applicable to federal law.

Group health plans may use or disclose protected health information only if the use or disclosure is permitted or required by the Privacy Rule. [45 CFR § 164.502(a).] In very general terms, a group health plan may use protected health information internally or disclose it externally only under the limited circumstances and for the specific purposes permitted by the Privacy Rule. Otherwise, group health plans may use or disclose protected health information only with the permission of the individual who is the subject of the protected health information.