The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress in an attempt to bring 'administrative simplification' to the health care industry. One aspect of HIPAA is the privacy rule, issued by the Department of Health and Human Services (HHS) in December of 2000. The intent of this privacy rule is to protect patients' privacy rights with respect to certain of their health care information while also improving the efficiency and effectiveness of electronic transmissions of this information. The privacy rule states that covered health care providers may not use or disclose certain health information unless such use or disclosure is specifically permitted or required by the rule. This rule is predicted to have a major, widespread effect on the use and disclosure of information throughout the health care industry. With that in mind, this article will attempt to familiarize covered providers with the rule and set forth several important points to consider as providers work towards HIPAA compliance.
Who is covered by the HIPAA privacy rule?
* Health care clearinghouses (including billing services, other health care information management entities)
* All health care providers (including private physicians) who electronically transmit certain health care information (including claims and other encounter information, payment information, health plan enrollment information, health plan eligibility, health plan premiums, referral authorization and related information, first report of injury, health claims attachments, etc.)
* All providers who use billing services, clearinghouses, hospitals, or any other person or entity to electronically transmit such claims and other information on the provider's behalf
* Health plans (including HMOs, most group plans, health insurance issuers, employee welfare benefit plans, etc.).
What information is covered by the HIPAA privacy rule?
Protected health information includes information (oral, written and electronic) which identifies, or reasonably could be used to identify, a patient and is relating to the patient's past, present or future physical or mental health or condition; history of health care treatments received; and past, present or future payment for the provision of health care.
Key points to consider
These are just a few of the important considerations covered providers will face as they attempt to become HIPAA compliant. All covered providers must review the privacy rule carefully, preferably in consultation with legal counsel, to ensure compliance.
Know the compliance deadline and the penalties for non-compliance. Most health care providers covered by the privacy rule must be compliant by April 14, 2003 (April 14, 2004, for small health plans or providers). Violations of the HIPAA privacy rule may carry hefty penalties. Violators may face civil fines of up to $25,000 per person per violation per calendar year, and criminal penalties including a fine of up to $50,000, $100,000 or even $250,000 for certain violations, and possibly even imprisonment of up to 10 years. In addition, non-compliance with the privacy rule may expose covered providers to negligence claims.
Draft written policies and procedures
Covered providers must draft written policies and procedures regarding the use and disclosure of protected health care information. Examples of items to be included in a well-drafted policy statement include:
Allowing patients access to their health records (with some exceptions), and providing patients with a six-year accounting of most health information disclosures.
Allowing patients to amend their health information (with some exceptions).
Allowing patients to request that the health provider use alternate communication means for protected health information (for example, sending specified information to a patient's alternate address). Also allowing patients to request that the provider restrict disclosure of certain information.
Provide notice to all patients
All covered health care providers must provide to patients written, plain language notice (during office visits, through postings at premises and on Web sites, etc.) of the provider's procedures on the use and disclosure of patient health information and a description of the patient's rights and the provider's legal duties under the privacy rule.
The covered provider must designate and train a 'privacy official' to implement its policy, and a responsible person to receive and process inquiries and complaints in accordance with the rule. These persons must provide HHS with compliance reports and copies of certain records upon request to demonstrate compliance.
Train personnel
Training a covered provider's workforce as to how to store, use and disclose protected health information is crucially important, not only to ensure that the covered provider's policies and procedures are understood and followed, but also because HHS requires that covered providers document such training and produce such documentation upon request.
Obtain Patient Consents and Authorizations (and Understand the Difference). Covered Providers must understand when patient 'consent' is required (for health care providers, for the use and disclosure of protected health information specifically for purposes of treatment, payment and health care operations) and when specific patient 'authorization' is required (for all other covered providers and for all other disclosures of protected health information). Also, physicians must understand that certain authorizations are required to use information about research subjects. Covered providers must carefully draft such consents and authorizations to ensure they are in compliance with the privacy rule. (Covered providers must also understand the rule's restrictions on whether they may condition treatment on getting a consent or authorization, and whether they may administer certain health care treatments without prior consent or authorization.)
Understand business associate liability
A covered provider may allow a 'business associate' to gain access to protected health information, but the provider must first receive 'satisfactory assurance' (in the form of a 'business associate contract') that the business associate will protect the information in accordance with the privacy rule (and that the business associate will require the same compliance from its subcontractors and agents). A business associate's violation of HIPAA's privacy rule may expose a covered provider to liability as well, so covered providers must understand this aspect of the rule. In general terms, a 'business associate' is a person or entity who either:
* Receives protected health information from the covered provider in the performance of its service (legal, actuarial, accounting, consulting, data aggregation, management, administration, financial services, etc.), or
* Performs a function or service involving the use or disclosure of protected health information on the behalf of the covered provider (a clearinghouse, hospital, etc.).
Understand the 'minimum necessary' rule.
The privacy rule requires covered providers to use and disclose protected health information only to the 'minimum necessary' to accomplish the purpose of such use or disclosure (with exceptions).
Modify use of e-mail. Covered providers must pay particular attention to their use of e-mail in transmitting protected health information to patients and to others to ensure they do not violate the privacy rule.
The privacy rule affects the ways in which covered providers may use patient protected health information to engage in fundr aising and marketing efforts. Providers must understand what types of patient consents and authorizations are needed for them to engage in such efforts, and in what ways such efforts must be modified to ensure compliance.
Understand how this rule interacts with state and federal laws
The HIPAA privacy rule is complicated and wide-reaching. This rule will change the way certain health information is stored, used and disclosed throughout the health care industry. Even though most covered health care providers are given until April of 2003 to comply with the rule, providers should commence their efforts to become compliant, because their task is potentially a large one. Providers must determine what information may be disclosed, how it may be disclosed, and to whom it may be disclosed. They must draft policies, procedures, patient notices, consents, authorizations and business associate contracts. They also must begin training their personnel. These are large undertakings and must be done correctly--and preferably in consultation with experienced legal counsel to guide such providers through the rule.
Rhonda Carniol is of counsel and Karen Sheehan is an associate with Lowenstein Sandler of Roseland, N.J. Both practice in the firm's Technology & Internet Group, which has an expertise in technology privacy issues. Carniol can be reached at rcarniol@lowenstein.com or at 973-597-2354 and Sheehan can be reached at ksheehan@lowenstein.com or 973-597-2336.
