Highlights of Proposed Federal Rule Governing Confidentiality of Healthcare Information

In response to widespread concern that information otherwise regarded as private becomes readily accessible to the general public through the pervasive use of electronic databases, President Clinton recently signed a proposed rule to require certain entities to comply with measures to protect the privacy of an individual's healthcare information which is or has been electronically maintained or transmitted.⁽¹⁾

The United States Department of Health and Human Services ("HHS") is currently accepting comments and the final rule is scheduled to become law in February 2000 (amending 45 CFR Subtitle A) (at which time we will issue another Advisor). In the interim, the following is a broad overview of key provisions of the proposed rule.

* Scope. The proposed rule governs use and disclosure of "individually identifiable health information"⁽²⁾ that is or has been electronically transmitted or maintained,⁽³⁾ including such information in any other form ("Protected Health Information") by health plans, health care clearinghouses, and health care providers ("Covered Entities").⁽⁴⁾ In most circumstances other than the safe harbor described below, a specific written release from the patient is required to use or disclose such information. Protected Health Information is protected during the life of the individual and, in most cases, for two years after death.

* Safe Harbor. A safe harbor is provided that generally allows⁽⁵⁾ for the use and disclosure of Protected Health Information by Covered Entities without a specific authorization from the patient if:

1. necessary to carry out treatment,⁽⁶⁾ payment,⁽⁷⁾ or health care operations;⁽⁸⁾
2. information is de-identified;
3. information is given to a business partner (see definition below) for performance of services or functions for or on behalf of such Covered Entity; and
4. for certain national purposes (e.g. public health activities; oversight of the health care system; judicial and administrative proceedings; law enforcement; directory information; research (w/written authorization); and emergencies.)

* Minimum Information Necessary. All disclosures must consist of only the minimum amount of information necessary to accomplish the purpose for which they are made.

* Liability for Business Partners; Contracts. The rule imposes liability on Covered Entities for the invalid use or disclosure of such information by such entity's "business partners" (defined as persons "to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity" and includes "lawyers, auditors, consultants, third-party administrators health care clearinghouses, data processing firms, billing firms"). Covered Entities are required to have written confidentiality agreements with their business partners any time a disclosure is made, with or without a release, and the Covered Entity may be sanctioned for prohibited uses and disclosures by such business partners. We recommend the Covered Entity include indemnification provisions specific to use and disclosure of protected health information in such agreements.

* Patient's Rights; Written Notice. The rule creates four individual rights: (1) to receive written notice of a Covered Entity's information practices; (2) to obtain access to the individual's own health information; (3) to obtain an accounting of how the individual's health information has been disclosed; and (4) to request a correction and/or amendment of the individual's health information. It provides no individual right to sue for violations (only Congress can create such a right); rather, the Attorney General is vested with the authority to impose civil and criminal sanctions (fines up to $25,000 annually per provision violation). Individuals may also request their provider to restrict use and disclosure of their Protected Health Information for treatment, payment and health care operations. Such provider may be in a bind if he or she agrees and if such patient's health plan later requests the information for payment purposes, in particular if the provider has an agreement with the health plan that requires such disclosure. (To complicate such situation further, the rule prohibits Covered Entities from conditioning treatment or payment on obtaining a release from the patient.)

* Compliance. The rule requires Covered Entities to implement administrative procedures to safeguard the confidentiality of health information; a privacy officer would be designated in the Covered Entity's place of business, employees would undergo privacy training, confidentiality policies would be implemented and sanctions would be developed for violations of such policies.

* Preemption of State Law. The rule is intended to fill gaps in State law and preempt it to the extent there is a conflict. New York law contains provisions regarding the confidentiality of patient information in the Public Health Law (including HIV/AIDS information), the Mental Hygiene Law (including substance abuse information) and the Civil Practice Law and Procedure (physician/patient privilege). In some instances these laws are more protective of the individual whose information is at issue than the proposed rule. However, New York law will need to implement certain key provisions, including, but not limited to, the extensive provisions governing business partners and the creation of compliance systems. Also significant is the fact that although New York law does not specifically create a private right of action, in certain instances New York courts have found an implied private right of action.

* Other Federal Law and Professional Standards. On a federal level, the rule does not affect Medicaid regarding confidentiality of health information because the Medicaid rules are stricter than the proposed rule. The rule does not generally conflict with the Medicare program. Federal law governing the disclosure of substance abuse records is more stringent than the rule in some respects, but does not address the requirements of the rule in other respects. Professional standards on confidentiality of health information established by entities such as NCQA, JCAHO and the AMA, will also need to take the proposed rule into account.

2. The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), P.L. 104-191, called for the enactment by Congress of measures to protect the privacy of healthcare information by August 21, 1999; failure to do so resulted in the Secretary of Health and Human Services issuing this rule, signed on October 29, 1999.

3. "Individually identifiable health information" is defined as "information that is a subset of health information, including demographic information collected from an individual, and that: (1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) Which identifies the individual, or (ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual."

4. "Electronically transmitted" information includes information "exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone, voice response, and 'faxback' systems." "Electronically maintained" information is information "stored by a computer or on any electronic medium from which information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media."

5. A "health care clearinghouse" is defined as an ". . . entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. The entity receives health care transactions from health care providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers and clearinghouses." The preamble to the rule explains that, although clearinghouses are directly governed by this rule, their rights and obligations are limited to those of business partners when they are acting as a Covered Entity's business partner and may be further limited by contract with the Covered Entity.

6. Disclosure is only required (i) if requested by HHS for compliance purposes, or (ii) to the individual, upon proper request.

7. "Treatment" means "the provision of health care by, or the coordination of health care (including health care management . . . ) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual."

8. "Payment" is defined as: "(1) The activities undertaken by or on behalf of a covered entity that is: (i) A health plan, or by a business partner on behalf of a health plan, to obtain premiums or to determine or fulfill its responsibility for coverage under the health plan and for provision of benefits under the health plan; or (ii) A health care provider or health plan, or a business partner on behalf of such provider or plan, to obtain reimbursement for the provision of health care.
   (2) Activities that constitute payment include: (i) Determinations of coverage, improving methods of paying for coverage policies, adjudication or subrogation of health benefit claims; (ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics; (iii) Billing, claims management, and medical data processing; (iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and (v) Utilization review activities, including precertification and preauthorization of services."

9. "Health care operations" are activities by or on behalf of a health plan or health care provider to carry out its management functions necessary for the support of treatment or payment including but not limited to conducting quality assessment and improvement activities; reviewing competence or qualifications of health care professionals and evaluation of practitioner and provider performance; activities relating to renewal of insurance; insurance rating; conducting and arranging for medical review and auditing services, including fraud and abuse detection and compliance programs; and compiling and analyzing information for legal proceedings.