This posting is one of several that outline the HITECH privacy provisions of the American Recovery and Reinvestment Act that President Obama signed into law on Tuesday, February 17, 2009, in Denver, CO. Here, we reproduce the definitions that appear in Subtitle D—Privacy, Section 13400. Definitions, that appear in the Conference Report on page H1345 of Congressional Record—House, February 12, 2009. These definitions are critical in understanding the content of the new HITECH privacy provisions and how they relate to existing HIPAA Administrative Simplification Privacy Rule standards.
HIPAA Privacy Definitions:
PERSONAL HEALTH RECORD
The term ‘personal health record’ means an electronic record of PHR identifiable health information (as defined in section 13407(f)(2)5) on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.
5 “The term ‘PHR identifiable health information’ means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information (A) that is provided by or on behalf of the individual; and (B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” See Congressional Record-House, February 12, 2009, p.H1348, which is available on the hipaa.com Web site.
Section 1171(6) of the Social Security Act is available online at: http://www.ssa.gov/OP_Home/ssact/title11/1171.htm. Subsection 6 states: Individually identifiable health information.—The term “individually identifiable health information” means any information, including demographic information collected from an individual, that—(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—(i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.