Patient’s Guide to HIPAA – Overview: What Federal Laws Are Relevant to Health Privacy?
You are reading the Patient’s Guide to HIPAA, FAQ 3.
HIPAA Guide Quick Links:
FAQ 3: What Federal Laws Are Relevant to Health Privacy?
HIPAA is the most important federal health privacy law for almost everybody in the United States. Most of this guide explains what you should know about HIPAA.
We also highlight some other federal laws that may be relevant to your health privacy. There are five federal laws beyond HIPAA we think you should know about. Each of these touches on privacy in a slightly different way.
- Privacy Act of 1974
- Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
- Family Educational Rights and Privacy Act (FERPA)
- Americans with Disabilities Act (ADA)
- Genetic Information Nondiscrimination Act (GINA)
We discuss each of these other laws briefly below.
Privacy Act of 1974
An important general purpose federal privacy law is the Privacy Act of 1974 (http://www.law.cornell.edu/uscode/text/5/552a). The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors. It applies to military health records, veterans’ records, Indian Health Service records, Medicare records, and medical records of other federal agencies. HIPAA also applies to most of those same federal records. So if a federal agency has medical information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA.
You can learn more about the Privacy Act of 1974 from a detailed guide published by the Department of Justice (http://www.justice.gov/opcl/1974privacyact-overview.htm). Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so because there have been decades of litigation under the Privacy Act of 1974 (and very little under HIPAA). Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them even though they may receive federal funds or are tax-exempt. Remember, the Act applies to federal agencies, not federal funds recipients.
Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 Code of Federal Regulations Part 2) are an important set of federal rules for some health records. These rules provide privacy protections for records of federally funded substance abuse (alcohol and drug abuse) health care providers. You can find more information at http://www.samhsa.gov/HealthPrivacy/http://www.gpo.gov/fdsys/pkg/CFR-2000-title42-vol1/pdf/CFR-2000-title42-vol1-part2.pdf. The actual rules are also at
Rule of Thumb
The alcohol and drug abuse rules contain the strictest privacy protections of just about any law. The rules allow many fewer disclosures than HIPAA, and the restrictions generally follow the records. That means that if a record is subject to the rules, it remains subject to the rules if the record is disclosed to anyone. That is a very unusual but very privacy protective policy.
The Substance Abuse and Mental Health Services Administration (SAMHSA) administers the alcohol and drug abuse rules. SAMHSA is part of the Department of Health and Human Services. You can find a document that discusses how HIPAA and the substance abuse privacy rule relate at http://www.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdf.
Family Educational Rights and Privacy Act (FERPA)
Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide. (See FAQ 9.) In general, FERPA’s protections are better than HIPAA in some ways and not as good in others. There’s a simple Q&A on FERPA and HIPAA at http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/513.html, and a more detailed guide at http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf. Be warned that the interplay between HIPAA and FERPA can be very complex.
Americans with Disabilities Act (ADA)
The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well. You can learn more about the ADA at the Equal Employment Opportunity Commission’s website. http://www.eeoc.gov/laws/types/disability.cfm.
Genetic Information Nondiscrimination Act (GINA)
The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment. Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination. Most states have similar laws.
Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person’s health insurance eligibility or coverage. This part of the law went into effect on May 21, 2009. Title II makes it illegal for employers to use a person’s genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law went into effect on November 21, 2009. For more on GINA, see http://ghr.nlm.nih.gov/spotlight=thegeneticinformationnondiscriminationactgina. GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful. The privacy provisions of GINA are discussed briefly in FAQ 55.
Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). We don’t think that these laws are relevant enough to most people to explain here. There are other general privacy resources at the World Privacy Forum website (www.worldprivacyforum.org) and at the website of the Privacy Rights Clearinghouse (http://privacyrights.org).
Roadmap: Patient’s Guide to HIPAA: Part 1: Learning About HIPAA (FAQ 3of 65)