The New HIPAA Privacy Rule: What Is It and Who Should Care?


HIPAA is the Health Insurance Portability and Accountability Act of 1996. In trying to streamline the complicated and fragmented health care system and reduce costs, Congress included within HIPAA what it entitled "Administrative Simplification" provisions, designed to make it easier and cheaper for health care providers and health plans to transmit health information electronically. Congress realized, however, that widespread electronic transmission of health information could jeopardize the privacy of patients' health care information. Problems with breaches of privacy had already been the subject of much media attention with numerous reports highlighting circumstances where the confidentiality of patients' personal health information had been breached or ignored to the detriment of patients. Consequently, Congress mandated that, if it did not pass separate legislation setting forth national privacy protections for health information by a certain date, then the Department of Health and Human Services (HHS) would be responsible for developing detailed privacy standards by rule.

Ultimately, Congress did not pass separate legislation, so the task of developing privacy standards fell to HHS. In response, HHS enacted the Privacy Rule. The Privacy Rule went into effect on April 14, 2001, and required most covered entities (health plans, health care clearinghouses, and health care providers) affected by it to be in compliance by April 14, 2003. As might be expected, the HIPAA Privacy Rule is anything but simple (HHS received over 1500 pages on comments on the original draft of the rule) and compliance will create headaches for those impacted by the rule.

Who is affected by the HIPAA Privacy Rule?

The Privacy Rule applies directly to three types of "Covered Entities": (a) health plans; (b) health care clearinghouses; and (c) health care providers who conduct certain health care transactions electronically. However, the rule may also effect other businesses and individuals (such as employers who sponsor health plans and lawyers, accountants, consultants and other professionals who work with these covered entities) in an indirect manner. It is often up to the Covered Entity to make sure that the people with whom they do business comply with the Privacy Rule. The penalties for not doing so can be severe.

What information is subject to the HIPAA Privacy Rule?

The Privacy Rule applies to "Protected Health Information" (PHI), which means essentially any "individually identifiable" information, whether oral or recorded in any form or medium that is created or received by a health care provider or health plan that relates to the physic al or mental condition or the provision of health care to an individual.

Washington's Uniform Health Care Information Act (UCHIA) similarly applies to "health care information," which means any information, whether or oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and that relates to any care, service, or procedure provided by a health care provider. Under Washington's UHCIA, however, health care information also includes any record of disclosures of health care information.

The fact that doctors, nurses and any other health care providers must comply with the HIPAA Privacy Rule has received considerable attention in the media. Hopefully, most know they need to comply and have already taken steps to do so. What has not received nearly so much attention is that most employers who sponsor health plans for their employees also have to comply. In order to determine whether you or your business needs to comply and what you need to do to comply, there are a number of websites available and law firms who can assist. The official government website is http://www.hhs.gov/ocr/hipaa/.

In sum, the HIPAA Privacy Rule can and likely will impact most businesses in a number of ways, some of which were never contemplated or intended by HHS. Now that HHS has done its part under the "Administrative Simplification" provisions of HIPAA to produce a lengthy, detailed, and far from simple Privacy Rule, all who are affected need to become familiar with the Privacy Rule, comply with its mandates, and be alert for any problems it poses.