Proposed rules strike a good balance between patients' rights and providers' access to information.
In support of its goal to guarantee health information security and privacy, the U.S. Department of Health and Human Services (HHS) has released two sets of rules relating to HIPAA. The first set of rules, released in August of 1998, addressed health information security.
The second set of proposed rules, released Nov. 3, 1999, concerns health information privacy. These rules address a relatively limited set of issues associated with confidentiality. The privacy rules determine who is authorized to do what under what circumstances. (See WebWatch on page 14 for additional sources of information on HIPAA.)
Privacy Overview
In sharp contrast to the HIPAA's proposed security rules, the proposed health information privacy rules appear reasonable and implementable. They have been drafted with the needs of healthcare providers in mind, and reflect an understanding of healthcare operations. Indeed, the proposed privacy rules are as remarkable in their allowable exceptions as in their requirements.
HHS has prepared the proposed privacy rules under legislative constraints imposed by the HIPAA. In the privacy Notice of Proposed Rule Making (NPRM), HHS repeatedly laments these constraints and calls upon Congress to override them legislatively. These constraints are:
* The proposed rules can apply only to pro-riders, plans, and clearinghouses.
* The proposed rules can apply only to health information that is maintained or transmitted in electronic format, sparing purely paper-based information.
* The proposed rules cannot pre-empt more restrictive state laws and regulations.
HHS attempts to circumvent these constraints through a variety of means, but ultimately Congress must make the final determination of scope.
Privacy Rules Details
The proposed privacy rules focus on the following elements:
Protected Health Information: The proposed rules define what information is protected by the rules, what information is not, and how information moves between protected and unprotected categories. In essence, protected health information is any information relating to one's physical or mental health, the provision of one's healthcare, or the payment for that health-care, that has been maintained or transmitted electronically and that can reasonably be identified with the individual it applies to. Specific exceptions are made for health information about inmates and education records protected by other legislation.
Covered Entities: HIPAA limits the entities covered under the act to health-care payors, providers, and clearinghouses. Even protected health information escapes the controls and penalties of the act once it is in the hands of a non-covered entity such as an employer, school, or marketing organization. The proposed rules attempt to extend HIPAA's privacy umbrella to such non-covered entities through contractual requirements on covered entities when information is shared with 'business partners.'
Patient Authorization Requirements: The proposed rules don't require patient authorization for the release of protected health information if the purpose of the release falls within the broad categories of treatment, payment for treatment, or healthcare operations. This is a significant liberalization of practice, where patients sign a blanket release before being admitted to a hospital or physician practice. Subject to certain exceptions, other releases require specific authorization by the patient.
The exception list is long, however, and includes release of information for research purposes, legal proceedings, public health oversight activities, fraud investigations, medical emergencies, and urgent law enforcement needs. Where authorization is required it must be specific to the release. Blanket authorizations are not acceptable, and compound authorizations combining privacy release with authorization for treatment and payment are also prohibited.
When protected health information is disclosed, a minimum necessary standard applies: All reasonable efforts must be made not to disclose any more than is necessary to accomplish the intended purpose of the disclosure. Even disclosures involving patient care are subject to this restriction.
The covered entity must keep an accounting of any disclosures of health information made other than for treatment, payment, healthcare operations, oversight, and law enforcement, and must provide that accounting to the individual whose protected information was disclosed, upon request.
Patient's Right of Access and Correction: The proposed rules guarantee a patient's right to inspect or obtain copies of his or her protected health information from a provider or plan--clearinghouses are excepted. This rule is broad and firm. In contrast to the other sections in the proposed rules, exceptions to the right of access are very limited. The primary exceptions are for circumstances reasonably likely to endanger the life or physical safety of that individual or another person (emotional health is excluded), and for clinical research (see Special Cases).
The proposed privacy rules would codify in law a revolutionary concept--the patient's right to correct or amend his or her medical record. This reflects an idea that has enjoyed much lip service but little substantive support: Patient ownership of the medical record. Although under the proposed rules this right is limited by reasonable protections for the covered entity who controls the protected information, for the first time a patient will have a right to ask for corrections or amendments to his or her medical record, and to place an explanation into the record if that request is denied.
The discussion that HHS released with the proposed rules makes clear that there is no requirement that incorrect information be removed from the record; rather it should be labeled as corrected, and the correction appended.
Administrative Requirements: Administrative requirements are the most straightforward component of the proposed privacy rules, and generally reflect good business practices that most entities would employ to implement the requirements of the rule. Each covered entity must:
* Designate a privacy official.
* Designate a contact person or office for receiving complaints.
* Have a workforce training privacy program. The proposed rule specifies that employees likely to have access to protected information must receive training. They must sign a certification on completion of training. No further specific training is required unless the policies change, although every three years employees must sign a statement that they will continue to honor the covered entity's privacy policies and procedures.
* Develop and apply sanctions for violations.
* Implement administrative, physical, and technical safeguards to ensure that protected health information is not used in violation of the proposed rules. This language is reminiscent of language in the proposed security rules. In contrast to the security rules, however, the detailed requirements of the privacy rules are rather relaxed. For example, although the privacy standard requires mechanisms for verifying the identity and authority of people requesting access to information, this requirement is waived for people interacting with the covered entity 'in the normal course of business or otherwise known to the covered entity' and government agents can satisfy this requirement merely by presenting a written request on the agency's letterhead.
* Prepare a Notice to Individuals of Information Practices, to be posted in a prominent place, and provided to individuals on their first encounter (clearinghouses are excluded from this requirement). A model Notice to Individuals of Information Practices is provided in the proposed rules.
* Have procedures for mitigating the impact of violations of the privacy rules, 'to the extent practicable.'
In addition, each covered entity must maintain health information privacy policies and procedures.
Special Cases
Business Partners: Among the most controversial aspects of the privacy proposed rules are the requirements relating to business partners. Business partners are people or entities that perform a function or activity for the covered entity, and include attorneys, consultants, outside auditors, and, of course, other covered entities. Although there is disagreement on this point, it is likely that vendors of e-health services that maintain protected health information on their servers or transmit it over networks or the Internet will be classified as business partners.
Covered entities must take 'reasonable steps' to ensure their business partners are in compliance, including executing contracts with business partners that bind the business partner and its subcontractors to the same standard of information privacy as the covered entity. Since HIPAA does not permit applying regulatory sanctions for violations except to covered entities, the proposed rules make the covered entities responsible for ensuring the compliance of their business partners.
HHS may succeed in breaking this constraint and open the door to individual private action against business partners. The proposed rules have an interesting phrase, stating that individuals whose protected health information is disclosed to business partners are 'intended third party beneficiaries' of the contract between the business partner and the covered entity. This has been interpreted as exposing business partners to possible private action by individuals whose privacy has been violated. This is an interesting twist, since there is no similar right of private action against covered entities.
Research: Academic medical centers and the private research community can breathe a sigh of relief. There had been fear that the privacy rules would impose significant constraints on the use and exchange of individually identifiable health information for research purposes, including clinical trials and genetic research. Quite the contrary, under the proposed rules, not only can protected health information be released without authorization for research purposes, specific provisions for denying patient access to their individually identifiable health information are included to protect the integrity of blinded research studies.
For research to qualify under the proposed rules, it must be approved by an Institutional Review Board (IRB), or by a similar body, a privacy board, defined in the proposed rules, whose purpose is to provide the private sector with an oversight body similar to the IRB of academic institutions.
De-identification: When is protected health information not protected health information? What must covered entities do to free protected health information of privacy requirements under the proposed rules? The information must be de-identified. De-identification is an interesting concept, and does not require that identifying information be permanently removed. It requires that identifying information be either removed, coded, encrypted, or otherwise concealed, so that the recipient of the de-identified information would be very unlikely to be able to identify the individual. The covered entity may keep the key to the code, so that it can re-identify the individual if needed. The key to the code would be designated as protected health information, and re-identified health information would again be subject to privacy protections.
De-identification allows for health maintenance and disease management programs that might otherwise be excluded under the privacy rules. A healthcare provider can de-identify a patient's health profile and transmit it to the patient's employer. On the basis of this information, the employer may identify the patient as high risk, and recommend to the provider that the patient be placed into a special healthcare program. The provider could then re-identify the patient and provide the necessary care, without the employer ever learning of the patient's identity.
Almost There
The proposed HIPAA privacy rules provide a reasonable balance between patients' right of privacy and information access needs of providers, payors, regulatory bodies, and research investigators. The rules guarantee a patient's right to inspect and copy his or her health information, and create a new patient right of correction and amendment.
While allowing covered entities free exchange of information for purposes of treatment, billing, oversight, and research, it restricts covered entities and their business partners from using this information without specific authorization for most other purposes.
While balanced as far as it goes, the proposed privacy rules are limited to health information maintained or transmitted by electronic means. HHS has requested that Congress expand the reach of the act to include all individually identifiable health information, including non-electronic, and to anyone who touches it. Operating within HIPAA constraints, the proposed rules attempt to extend at least some measure of privacy protection to protected health information that is disclosed to business partners of covered entities.
Purpose of HIPAA
The purpose of the Health Insurance Portability and Accountability Act of 1996 is to:
* Curtail fraud and abuse in healthcare
* Enforce health information standards
* Guarantee health information security and privacy
* Assure health insurance portability for employees
Information security has three components:
1. Confidentiality--the ability to restrict the release of information to those authorized to have it.
2. Integrity--the assurance that health information has not been altered maliciously or inadvertently.
3. Availability--access to health information in the face of unexpected events such as system failures, natural disaster, and malicious activity.
HIPAA Updates & Resources
Because of the complexity of the proposed privacy rules, the U.S. Department of Health and Human Services had extended the comment period to mid-February of this year, and the timetable for issuing the final privacy rules remains in limbo. The proposed rule for the national individual identifier has been put on hold until the privacy standards can be put in place. At press time, HHS is expected to issue final rules for transactions, code sets, and an employer identifier in March, for security in May, and for a national provider identifier in June. For updates, visit the HHS Website at www.hhs.gov.
For an overview of the HIPAA security proposal, read HIPAA's Impact on Healthcare by Dr. Hellerstein in the April 1999 issue of HMT or on the HMT Website at www.healthmgttech.com.
A White Paper on the impact of HIPAA on the networking element of systems, by Rick Gilman, vice president of healthcare for Ensource, Inc., Jacksonville, FL, can be accessed at www.ensource.net.
For additional HIPAA resources, see WebWatch on page 14 in this of HMT.
David Hellerstein, M.D. Ph.D., is a consultant in the Health Care Regulatory Group for PricewaterhouseCoopers, LLC.
