Health Insurance Portability and Accountability Act
By Michael N. Mercurio As of April 14, covered entities under the 1996 act must abide by standards for the use and disclosure of patients’ individually identifiable health information. SPECIAL TO THE NATIONAL LAW JOURNAL Michael N. Mercurio is an associate at Owings Mills, Md.’s Offit, Kurman, Yumkas & Denick, where he specializes in health, corporate and tax law. A California woman with a work-related wrist injury, who authorized her insurance company to release her wrist diagnosis to her employer, was horrified to find out her entire medical record was released to her employer, including information on her recent fertility treatment and pregnancy loss. A New York congresswoman was shocked to learn that a New York hospital faxed to a local newspaper and television stations her confidential medical records, including a bout with depression and a suicide attempt, on the eve of an election primary. E-mail users of a large insurance company’s online services were startled to receive messages sent to the wrong recipients containing sensitive patient information. See stories compiled by the Health Privacy Project of the Institute for Health Care Research and Policy of Georgetown University, at www.healthprivacy.org/usr_doc/privacystories.pdf. When congress passed the administrative simplification portion of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress attempted to provide individuals with the protections for the integrity, confidentiality and availability of their private health information. Unfortunately, with the advent of the electronic age, the above examples of the type of offenses Congress was hoping to reduce and/or eliminate with HIPAA are just the tip of the iceberg. The rule promulgated under HIPAAA that arguably requires covered entities to make the most changes is the Standards for Privacy of individually Identifiable Health Information, known as the privacy rule, which will go into effect on April 14. 45 C.F.R., parts 160 and 164. Congress designed HIPAA to reduce administrative costs through the standardization of electronic health care transactions as well as the development of a comprehensible regulatory structure to ensure the security, integrity and authenticity of health information. To achieve this end, the administrative simplification provisions of HIPAA require the establishment of four national standards: • Electronic transactions and code sets – encoded data elements, such as diagnostic codes – for the standardization of electronic health transmissions. 45 C.F.R. Parts 160 and 162; • Detailed privacy guidelines establishing a uniform threshold for determining when to allow access, use and disclosure of personal health information – i.e., the privacy rule. 45 C.F.R. parts 160 and 164; • Security standards to protect against the unauthorized access of health information. 45 C.F.R. parts 160, 162 and 164; and • Unique standard identifiers for providers, employers and health plans to support the various transmissions. 45 C.F.R. parts 142 (proposed), 160 and 162. Generally, health plans, health care clearinghouses and health care providers that engage in certain electronic transactions are considered covered entities and, as such, typically will need to meet the administrative simplification standards set forth in HIPAA and its corresponding regulations. Other businesses and entities may voluntarily comply with the standards but are not required to do so by law. The final privacy rule effective date was April 14, 2001, and covered entities had two years to become compliant with the standards, except for “small health plans,” which had three years to become compliant, or until April 14, 2004. Implementing standards HIPAA requires the Department of Health and Human Services (HHS), the agency primarily charged with developing the standards and corresponding regulations., to adopt the current industry standard where appropriate private-industry standard-setting groups to develop and arrive at the necessary standards for each legal requirement. Within HHS, one office, the Centers for Medicare and Medicaid Services, is charged with developing and implementing the transactions, code sets, security and unique identifier rules while a second office, the Office of Civil Rights, is responsible for the privacy rule. The finalization of the various regulations pertaining to the above standards are in different stages for each standard. For example, Oct. 16 will be the deadline for compliance with the electronic transactions and code-sets rule for all covered entities that filed an extension plan as well as for small health plans. As the final security rule was just published on Feb. 20 in the Federal Register, the deadline for compliance is April 21, 2005, for all covered entities except small health plans, which will have until April 26, 2006. However, the rule that is on most peoples minds these days due to its imminent compliance date of April 14 is the privacy rule. With the privacy rule, Congress recognized the advances in electronic technology could erode the privacy of health information. Thus Congress incorporated into HIPAA provisions that mandate the adoption of federal privacy protections for individually identifiable health information. The privacy rules provisions As mentioned above, the responsibility for implementing and enforcing the privacy rule standards is the office of Civil Rights within HHS. The final modifications to the final privacy rule was published in the Federal Registry on Dec. 20, 2000, and amended on May 31, 2002. On Aug. 14, 2002, final modifications to the final privacy rule were published, clarifying a number of areas of concern by those in the health industry. The privacy rule provides the first comprehensive federal protection for the privacy of patient health information. HHS has been careful to balance the privacy rule to provide strong protections that do not interfere with patient access or the quality of health care delivery. As with all of the HIPAA rules, the privacy rules does not replace federal, state or other law that grants individuals even greater privacy protections but rather sets a national baseline standard for uniform protection. In addition, built into the privacy rules, are the concepts of scalability and flexibility. HHS has consciously attempted to develop rules that would equally apply and be equally effective no matter the size of the covered entity, from the huge health plan to the two person physician office. Thus, the degree of implementation and the depth of charges necessary for compliance will depend upon the size and scope of the covered entity’s practice. Generally, the privacy rule establishes safeguards for the use and disclosure of a person’s individually identifiable health information. The rule gives the patient specific rights to control the use and accessibility of his or her medical records and provides the limits on the release of the patient’s information to the “minimum necessary” for the purpose of disclosure. Thus, the thrust of the privacy rule surrounds certain standards establishing guidelines and limitations for the use and disclosure of patient health information that is individually identifiable. Information that has been de-identified — that is, stripped of all of its individual identifying information, social security number, etc. — is not subject to the privacy rule. Providing notice The centerpiece of any covered entity’s compliance program under the privacy rule is the entity’s notice of privacy practices. The notice is a document that every covered entity to provide its patients come April 14 of the uses and disclosures of the individual’s protected health information that may be made by the covered entity and the individual’s rights and the covered entities’ duties with respect to protected health information. The regulation sets forth many required elements in the notice so that the individual receiving it will have a blueprint of exactly how the covered entity will treat his or her health information. The privacy rule provides that each covered entity must make a good-faith effort to obtain a written acknowledgement of receipt of the notice by the individual and, if the covered entity cannot obtain the acknowledgement, then the covered entity must clearly document the reason why such acknowledgement was not obtained. The notice generally governs only those situations in which the individual’s health information is used for “treatment, payment or health care operations.” Situations that may arise for the use or disclosure of an individual’s protected health information by the covered entity — e.g., marketing or research — require the covered entity to obtain a specific authorization from the individual for use or disclosure. The privacy rule provides for very specific requirements that must be contained in each authorization. In some respects, the authorization required under the privacy rule is similar to the informed-consent forms that most persons are familiar with when consenting for treatment. However, in the privacy rule context, the authorization is for the use or disclosure of the indivual’s health information as opposed to treatment. In addition, among other things, the privacy rule requires that covered entities assemble a privacy-compliance manual for their staff, provide their staff with specific training on the privacy rule and designate an individual in their office as the person responsible for all privacy matters. With certain exceptions such as treatment, payment or health care operations, a covered entity is required to be able to make an accounting of any disclosures of an individual’s protected health information for a period of six years before the date an individual makes such a request. Further, covered entities that farm out certain essential functions to agents must secure “business associate” agreements with to ensure that their agents follow the privacy rule. Overall, the underlying premise behind the administrative simplification provision of HIPAA is that the establishment of national uniform standards for the transmission of electric health information would create certain efficiencies and should ultimately create a more effective health care system. While most, if not all, states have statutes and regulations governing privacy, confidentiality and, to a certain extent, security, state laws are far from uniform. Few states, if any, have rules governing transactions, code sets and other pieces of HIPAA. Typically, federal law pre-empts or overrides any contrary provisions of state law. However, with regard to HIPAA, Congress took a different approach by mandating that federal rules not supersede a contrary provision of state law if the state law is more stringent than the federal requirement. The administrative simplification provisions of HIPAA a floor of minimum requirements for all covered entities in all 50 states. To the extent a state law is more stringent than federal law, the state is permitted to enforce the requirements that exceed the federal minimum. Federal enforcement of HIPAA is still evolving. To date, HHS has stated that the Centers for Medicare and Medicaid Services will enforce the transaction and code-set standards, security standards and unique identifiers, and the Office of Civil Rights will enforce the privacy standards. HHS has further stated that enforcement will primarily be focused on obtaining voluntary compliance through the provision of technical assistance. In this regard, the enforcement process will rely primarily upon complaints from individuals from which HHS will provide the covered entity with opportunities to demonstrate compliance or submit a corrective action plan. HHS has stated that it is developing further guidance on its enforcement of HIPAA standards. However, covered entities should be fully aware that, although HHS has stated it will be passive in its enforcement at this point, HIPAA does provide for sustainable civil and criminal penalties should the violation warrant such a penal response. While HIPAA rules are far from clear in spots, and not necessary the easiest to implement at times, in the end the hope is that the rules will bring a degree of simplification to the national health care industry. Practitioners need to recognize the individual needs of their clients and to advise them appropriately given the flexibility and scalability of the rules. They also need to familiarize themselves with the appropriate laws in their state as compared with the federal HIPAA law. PUBLISHED WITH PERMISSION FROM THE MARCH 31, 2003 EDITION OF THE NATIONAL LAW JOURNAL © 2003 ALM PROPERTIES, INC. ALL RIGHTS RESERVED. FURTHER DUPLICATION WITHOUT PERMISSION IS PROHIBITED.