The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rules took effect on April 14, 2003. Businesses are seeking legal help with various parts of the Privacy Rules: reviewing Business Associate Agreements; drafting Privacy Notices and HIPAA Compliant Authorizations; revising personnel policies relating to ADA, FMLA, Workers' Compensation, and Drug Testing; and resolving issues of privacy involved in providing service to minors. Like all new regulations there is a fair amount of interpretation that is required and there are many unaddressed issues in the HIPAA Privacy Regulations. Compliance with HIPAA's Privacy Rules will require legal assistance for some time. Below we have described a few of the problems that have surfaced in implementing the HIPAA Privacy Rules.
A. Business Associate Agreements.
We have drafted and reviewed Business Associate Agreements. Although the Department of Health and Human Services ("DHHS") posted a model Business Associate Agreement on its website, most of the Business Associate Agreements we have seen are individually drafted. Some Business Associates who service multiple healthcare providers have developed their own Business Associate Agreement, have stated they will follow it unilaterally and refuse to amend or enter into any other Business Associate Agreement. Since the responsibility for having a compliant Business Associate Agreement rests with the covered entity, these agreements must be reviewed carefully by the covered entity to ensure that they provide all the necessary representations to fulfill the covered entity's legal responsibilities. Three particularly troublesome areas which should be reviewed carefully are: (i) any provisions relating to indemnification; (ii) representation regarding compliance with requirements for access, amendment and accounting of disclosures of protected health information ("PHI"), and (iii) the necessary reciprocity provisions where the covered entity also functions as a business associate of the entity from which they are requiring a business associate agreement.
B. HIPAA Compliant Authorizations.
Human resource departments, doctor's offices and lawyers have required assistance in developing HIPAA compliant authorization forms. Human resource departments need medical information about employees for purposes of administering FMLA leave, ADA reasonable accommodation discussions, return to work policies, obtaining results from drug testing, etc. Lawyers involved in workers' compensation claims, medical malpractice, and personal injury litigation also require medical records. The problem already surfacing is that even where an authorization meets the requirements set forth in the HIPAA Privacy Rule regulations, some healthcare providers will not disclose protected health information (PHI). These healthcare providers, trying to avoid making any error under HIPAA by disclosing PHI inappropriately, are simply refusing to provide medical records to anyone except the patient. In the workers' compensation area, few healthcare providers know that state workers' compensation programs are excepted from HIPAA. Although the preamble to the HIPAA Privacy Rules expressly states the congressional intent not to interfere with the flow of information for purposes of workers' compensation, the extent of this exemption is unclear.
C. Accounting for Disclosures.
Healthcare providers and business associates must "account for any disclosure" unless it is listed in one of the nine exceptions from the disclosure accounting rules. Few healthcare providers and even fewer Business Associates are clear on when they must record a disclosure of PHI. Some have reacted by suggesting that they will record all disclosures. Recording every disclosure of PHI will prove impossible for nearly every healthcare provider or Business Associate. Yet, being clear on what disclosures must be accounted for will require training and a bit of clairvoyance as to what the DHHS has intended.
Even when one understand the types of disclosure subject to an accounting, the delayed effective date for Business Associate Agreements where the Business Associate already has a written, un-amended contract with a healthcare provider raises a new issue. There is no delayed effective date available to the healthcare provider for having a complete accounting of disclosures of PHI. Therefore, the healthcare provider is in the position of being responsible for obtaining an accounting of disclosures from its Business Associate without necessarily having an agreement in place requiring the Business Associate to provide such information to the healthcare provider.
D. Privacy Notices.
Privacy notices can vary from two pages to 12 pages. All covered entities must, in good faith, attempt to obtain an acknowledgement that the patient received the privacy notice. Covered entities should be careful that the privacy notice expressly includes the right to amend the privacy notice, for without such a reservation, the healthcare provider will be subject to an expensive administrative burden in the future as rules change. Mental health providers must be careful to include special provisions in their notices. All patients of a covered healthcare provider must be provided with a privacy notice, regardless of whether their own PHI will be transmitted electronically.
E. Personnel Policies.
HIPAA requires that all covered entities (including health plans) have personnel policies that reflect the entity's handling of employees who use or disclose PHI in violation of HIPAA. During an investigation, it is likely that the Office of Civil Rights ("OCR") would ask for these policies. Other personnel policies, such as those relating to FMLA leave or drug testing, need to be revised to include provisions that state the employer will be requiring the employee to complete a HIPAA compliant authorization.
F. Compliance and Enforcement of HIPAA Privacy Rules.
The OCR is the entity charged with enforcing the Privacy Rules. Many are concerned about whether the OCR investigators will understand the healthcare providers' responses to a patient's request to amend medical records, will know what is the minimum necessary disclosure in a particular situation, will be able to evaluate the HIPAA training provided to physicians, will know what disclosure of PHI is incidental disclosure in typical healthcare situations, etc. The penalties for violation of HIPAA are stiff. And, although the Privacy Rules expressly provide that there is no private right of action by a patient, as lawyers, we are not comfortable giving any assurance to healthcare providers that an individual will not be able to sue using the HIPAA Privacy Rules as a statement or standard of public policy.
These are just some of the practical issues facing healthcare providers, employers, lawyers, and others as they try to comply with HIPAA.