Banks, Schools Need Clarity on Privacy Rule Provisions
Health Data Management (July 14, 2004)

The Department of Health and Human Services should consider whether to require encryption of protected health information moving through the financial industry's automated clearinghouse network, an advisory committee has recommended to HHS Secretary Tommy Thompson. Further, the department should clarify if provisions in the privacy rule that exempt financial institutions from being covered entities need modifications as banks begin to offer claims clearinghouse services, according to recommendations from the National Committee on Vital and Health Statistics. The committee this year is reviewing aspects of the privacy rule to determine if modifications are appropriate. It recently sent Thompson separate letters recommending clarifications or changes in provisions affecting financial institutions, schools and law enforcement. It now is studying the rule's impact on marketing, fundraising and communications with the media.

Confusion about privacy rule provisions has resulted in students not receiving necessary health care at school, the committee told Thompson. "Many school nurses provide daily care for students with complex medical conditions, such as ventilator support, ostomy care or dialysis," according to the committee's letter. "As schools are not generally considered health care providers under the privacy rule, the student's provider needs parental authorization before providing information to the school for treatment."

Consequently, HHS should make clear that disclosure of health information to school health personnel to deal with the health needs of students "is a disclosure for treatment" and does not require an authorization, according to the NCVHS letter.

Further, the committee recommends that HHS regard disclosure of immunization records to schools as a public health disclosure, and thereby permitted without an authorization under the privacy rule. HHS also should continue to work with the Department of Education to clarify how the privacy rule interacts with other federal privacy provisions, particularly those under the Federal Educational Rights and Privacy Act of 1974, according to the committee.

Testimony from the Department of Justice's Drug Enforcement Administration indicated the privacy rule may be limiting information reported to the DEA by physicians, pharmacists and others subject to controlled substances laws. The DEA believes some physicians and pharmacists are not reporting suspicious prescription activity because they believe the privacy rule prohibits such reporting, according to the testimony. "Also, some states have prescription-monitoring programs, which are programs supported by the DEA," the NCVHS told Thompson in a separate letter covering law enforcement issues. "Some entities covered by these state programs are reluctant to comply with reporting requirements because they have misinterpreted the HIPAA privacy rule as preventing such communications."

Consequently, the NCVHS recommended that HHS work with the DEA to ensure providers that communications about suspected drug diversion activities or complying with state reporting requirements are permissible under the privacy rule.

Copies of the NCVHS recommendations covering financial institutions, schools and law enforcement are available at

Posted to HIPAAcomply 7/14/04