SAA supports all efforts to strengthen the Health Information Portability and Accountability Act (HIPAA) to:
Several issues are in need of resolution.
At the Federal Level:
At the State Level: State medical records statutes differ from the federal law and state records laws vary widely. States tend to place restrictions on records, whereas HIPAA protects information. The definition of the “medical record” varies from state to state, is vague in some cases, and can encompass documents outside of the unit medical record. The period of protection also varies widely. When a state law is more restrictive than HIPAA, the more restrictive rule prevails.
At the Institutional Level: The Privacy Rule is interpreted differently by different institutions. Archival repositories must follow the policies and protocols set by their parent institutions, which may or may not be Covered Entities under HIPAA. Parent institutions take a range of approaches, and thus policies and procedures vary widely from repository to repository. This situation confuses researchers and makes it difficult for the archives community to develop standardized practices. The recent change in the Privacy Rule continues to allow a Covered Entity to set policies that are more restrictive than HIPAA. As is the case with state medical records laws, the more restrictive rule prevails.
To address these issues, SAA will:
1. Advocate for further changes in HIPAA at the federal level in the following areas:
2. Work with the Council of State Archivists (COSA) to advocate for changes in state medical record statutes to bring them in line with federal regulations to allow for standardization.
3. Encourage archivists working within HIPAA Covered Entities to develop a set of standardized “best practices” to share at the national level. Archivists working within Covered Entities should have available to them standard protocols that could be presented to the HIPAA compliance officers at their parent institutions as the nationally accepted procedures for handling PHI in archival collections.
4. Encourage interested SAA Sections and Roundtables to advocate for these changes, in partnership with interested scholarly associations representing researchers, such as the American Association for the History of Medicine, and with citizen groups such as genealogists.
5. Encourage interested SAA Sections and Roundtables to survey repositories documenting the history of the health fields regarding the experiences of researchers in applying to Institutional Review Boards and Privacy Boards for access to protected holdings.
The Health Information Portability and Accountability Act (HIPAA) was adopted by Congress in 1996. The U. S. Department of Health and Human Services developed the proposed Privacy Rule in 2002, and it went into effect on April 14, 2003.
The HIPAA Privacy Rule is intended to protect the privacy rights of individuals, and it defines certain elements of information as Protected Health Information (PHI). Thus the rule governs access to information rather than access to records. It is the first comprehensive federal law on access to and use of health information; the first general federal medical privacy law to extend rights of privacy beyond file unit of the medical record to individually identifiable health information in all types of file systems, documents, formats, and media; and the first federal law to extend rights of privacy beyond health information of living individuals to health information of decedents. Although much of the Privacy Rule was needed to protect individuals’ health information in the digital age, some aspects created compliance requirements that either were overly broad or left gaps in protection. HIPAA also defined “Covered Entities” as those institutions that are subject to HIPAA and must comply with its provisions.
Adoption of the Privacy Rule under HIPAA has had a major impact on archivists who are responsible for collections documenting the health sciences.
Interpretations of and the application of the HIPAA Privacy Rule to archival repositories vary widely based on a number of factors (the most prominent of which is whether the repository is part of a Covered Entity). In the absence of clear guidance and consistent best practices, some repositories can and do restrict access to collections that could be made available under the terms of HIPAA and state laws governing health information and medical records.
As archivists came to understand the implications of HIPAA for their repositories, they began to advocate for changes to the rule. In 2005, Nancy McCall and Stephen Novak testified to the National Committee on Vital and Health Statistics regarding the impact of the Privacy Rule on archives at Covered Entities. They pointed out that the Privacy Rule applied only to archives designated as part of HIPAA Covered Entities and did not apply to archives that are not part of Covered Entities but that also hold medical records and other related health information. They noted that HIPAA contained no provision for passage of time and questioned whether incidental health information related to long-deceased individuals required protection.
In July 2010, as a result of the HITECH ACT, the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) proposed changes to the Privacy Rule that took into consideration the concerns of archivists and historians, citing the testimony of McCall and Novak. Archivists and historians submitted comments both individually and through their professional organizations regarding the proposed changes.
On January 25, 2013, OCR published in the Federal Register its final rule to implement the privacy and enforcement provisions of the HITECH Act (the “Final Rule”). The Final Rule, which was effective on March 26, 2013, with a compliance date of September 23, 2013, modifies the HIPAA Privacy, Security, and Enforcement rules. Covered Entities had a deadline of September 23, 2014, to revise existing Business Associate Agreements in light of the changes in the Final Rule.
In considering these various Rules, SAA’s opinion is informed by the belief that personal privacy should be respected throughout an individual’s lifetime in appropriate ways. Documents that record private information related to the health of living individuals should be disclosed involuntarily only when disclosure accomplishes a greater public purpose. The need for privacy rights to be extended to deceased individuals and the harm of disclosing their health information decreases over time. It is impractical for the staff of archival repositories to “de-identify” health information in all types of documents so that it may not be used to identify an individual. Further, for many types of studies, the removal of identifiers devalues the usefulness of the information and compromises the scope of research. It is impractical and not always advisable to seek out a personal representative for the long-deceased to authorize disclosure of individually identifiable health information. Archivists continue to advocate for a balance between reasonable access to historical documentation and necessary protections of individual privacy.
 For the SAA comment submitted by SAA President Helen Tibbo on September 13, 2010, seehttp://www2.archivists.org/sites/all/files/SAA_HIPAA_091310.pdf. On November 27, 2007, SAA had submitted a letter to individual members of the Senate’s Health, Education, Labor, and Pensions (HELP) Committee in response to introduction of S. 1814, The Health Information Privacy and Security Act of 2007, authored by Senators Kennedy and Leahy. See http://www2.archivists.org/news/2007/saa-urges-congress-to-reconsider-hipsa-provisions.
 The final rule is available in full in the Federal Register: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
Members of the Society of American Archivists Science, Technology and Health Care Roundtable (STHC) and the Archivists and Librarians in the History of the Health Sciences (ALHHS) have compiled a HIPAA resource page that includes links to the Privacy Rule and official resources from the Department of Health and Human Services, testimony by archivists on HIPAA, background articles, presentations, and other resources and tools for archivists. See http://www.alhhs.org/hipaa_sthc_alhhs.html. (Accessed July 10, 2014.)
Approved by the SAA Council: August 2014