The first two weeks of April 2003 will be remembered by many in healthcare as the last days of a mad dash toward compliance with HIPAA's privacy regulations. Copiers churned out Notices of Privacy Practices. Privacy policies and procedures were drafted and edited at a furious pace. Business associate agreements were negotiated and signed in droves. And April 14, 2003, came and went.
But unlike Y2K, HIPAA privacy is here to stay. Consequently, now is a good time to take stock of HIPAA privacy implementation efforts to date and to analyze issues and problems that are common among covered entities.
HIPAA Paralysis
There are plenty of recent examples in which covered entities have been slow to disclose or refused to disclose protected health information (PHI) even though disclosure may be permissible under HIPAA. The initial reaction of many covered entities to a request for PHI is, 'Sorry, I can't give it to you.'
Unfortunately, this approach can lead to frustrated customers, unflattering media coverage or, worst of all, injury to a patient. There have been well-publicized incidents of covered entities failing to disclose for purposes of treating a patient (when such disclosure is expressly permitted under HIPAA). For example, some 911 dispatchers refused to give emergency personnel the name of an individual in need of treatment, when the name would have helped the emergency personnel locate the individual.
HIPAA decision-makers must fight the initial urge to refuse to disclose PHI and examine the facts, considering both the practical and the HIPAA implications. HIPAA's privacy regulations allow for use or disclosure of PHI without an individual's authorization in a number of circumstances, including for treatment, payment and 'health care operations' purposes.
Common sense should play a role in the decision-making process for at least three reasons. First, although voluminous, the privacy regulations do not cover every situation, and common sense is a good guide for making determinations in the 'gray areas.' Secondly, part of the common-sense analysis should be the risk that the individual would object to the use or disclosure of his/her PHI, which may even impact disclosures that are permitted under HIPAA. For instance, it may be permissible under HIPAA for a hospital to disclose PHI to an unrelated counselor for follow-up treatment, but if it is treatment of a sensitive nature (e.g., family planning, venereal disease), an individual may be upset that a disclosure of PHI was made even though permitted under HIPAA.
Finally, the Office for Civil Rights of the Department of Health and Human Services (OCR) has indicated that its enforcement approach is largely complaint-driven and that it would rather help a covered entity become compliant through outreach and education than to levy fines. In this type of enforcement climate, covered entities (with their counsel, as necessary) can use common sense and reasonable judgment in interpreting the privacy regulations. As long as the covered entity takes a reasonable position and contemporaneously documents its reasoning, it seems unlikely that the OCR would be interested in pursuing fines and penalties, at least at this point in time.
Deceased Individuals' Records
The privacy regulations clearly state that a deceased person's PHI must he given the same level of protection as a living person's PHI. The tricky part of handling a deceased person's PHI is determining who will control the use and disclosure of the deceased person's PHI. The privacy regulations give an individual's 'personal representative' the same power over the use and disclosure that the individual would have. The privacy regulations state that if, under state law, an executor, administrator or other person has the power to act on behalf of the deceased's estate, the covered entity should treat that person as the deceased's personal representative.
If the deceased were alive, a covered entity could disclose PHI to a family member if the covered entity determined that it was in the best interest of the individual to do so. This flexibility is not available for a deceased individual. This dichotomy can put a covered entity in a difficult situation. For example, if an adult child is involved in the healthcare of his/her parent, a covered entity could disclose PHI to the child while the patient is living, but cannot disclose the same PHI to the child if that child is not the executor (or otherwise determined to be personal representative) for the deceased.
Handling PHI of deceased persons is best addressed through policies and procedures that require the person claiming to be a personal representative of the deceased to provide proof that he/she is legally entitled to control the use and disclosure of the deceased's PHI. Also, proper communication with the person who requests PHI is critical, especially in an emotionally charged atmosphere such as the recent death of a family member.
Business Associate Agreements
One of the most burdensome requirements of HIPAA's privacy regulations is the requirement that covered entities have written contracts with all of their business associates. These written contracts must have specific contractual obligations related to the handling of PHI. At great effort and expense, most covered entities have undertaken a campaign to enter into contracts with their business associates. Often, however, in the quest to obtain business associate agreements (or to include business-associate language in post-April 14 agreements), covered entities have lost sight of the nuances of a business associate relationship.
In some cases, covered entities have entered into business associate contracts with all vendors. While this practice is not necessarily harmful, it is important to note that requiring compliance with the business associate standards does not permit the disclosure of PHI unless that disclosure is otherwise permitted by HIPAA. For example, if a covered entity has a contract with a consultant, it cannot disclose PHI to that consultant simply because there are HIPAA-compliant business associate provisions in the contract. The covered entity must analyze whether the services provided by the consultant are 'business associate-type' services and the consultant needs PHI to provide the services.
A covered entity cannot simply rely upon the business associate provisions to allow a haphazard approach to disclosures to the business associate agreement. Disclosure to business associates must meet the minimum necessary standard of the privacy regulations. For example, if a covered entity uses a collection agency, it is appropriate for the covered entity to give information necessary to identify the claim (e.g., name and address of the patient, dates of service), but not other portions of PHI in the covered entity's possession (e.g., diagnosis, treatment).
How IT Can Help
Information technology can and should be part of the HIPAA privacy compliance solution. For example, technology can be applied to training and compliance monitoring.
IT can assist in training, not only by providing traditional online HIPAA programs describing HIPAA's privacy regulations and quizzes that test employees' knowledge of the covered entity's privacy policies and procedures but also through HIPAA informational e-mails, bulletin boards and FAQ pages. Consistent reinforcement of privacy obligations will help keep the issue of protecting PHI in the forefront of the minds of covered entities' employees.
Many covered entities that operate on a large scale have found that similar HIPAA privacy compliance questions arise across their enterprise. By creating and, more importantly, maintaining a readily accessible FAQ page, personnel can save time and resources by not requiring that every HIPAA privacy question be directed to the privacy officer or the legal department. In this time of shrinking HIPAA budgets and personnel resources, wisely applied information technology can he used to stretch thinning HIPAA resources.
Many covered entities have successfully applied information technology to assist them in complying with specific requirements under HIPAA's privacy regulations. For example, HIPAA's privacy rule requires that covered entities provide individuals with an accounting of certain disclosures of the individual's PHI. Many entities have automated the process of accounting.
IT can also be used to monitor and track compliance. Compliance monitoring and tracking can take the form of electronic monitoring of access to and disclosures of medical records, establishing a method for anonymously reporting suspected HIPAA violations, tracking and documenting training efforts, and monitoring vendor contracts to ensure business associate agreements are in place.
Covered entities can use IT to document their commitments to HIPAA compliance efforts. The OCR has indicated it will look for bad actors when bringing enforcement actions. Therefore, if a covered entity can respond to an OCR inquiry with specific information about how a particular disclosure was handled, and provide evidence of its training efforts, handling of prior complaints and mitigation efforts, that covered entity will be in a better position to deal with the OCR. By showing its good-faith compliance effort, a covered entity can paint a more favorable and accurate picture of its commitment to protecting the PHI of its patients or enrollees.
Since April 14, 2003, covered entities have learned that although the focus on HIPAA privacy compliance may have diminished, HIPAA privacy will not go away. That has been a lesson for all of us.
Jeffrey L. Kapp is a partner with the law firm of Jones Day in the firm's Columbus, Ohio, office. Contact him at jlkapp@jonesday.com. The views set forth herein are the personal views of the author and do not necessarily reflect those of his firm or its clients and should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general informational purposes only.
