The material in this publication is based on laws, court decisions, administrative rulings and congressional materials, and should not be construed as legal advice or legal opinions on specific facts.We encourage you to contact any lawyer in our health care services group to discuss these guidelines in detail.
The HIPAA Privacy Rule: What It Means for You
On December 20, 2000, the U.S. Department of Health and Human Services (HHS) released its final rule authorized by the Health Insurance Portability and Accountability Act (HIPAA) regulating the privacy of identifiable patient health information. This sweeping rule affects virtually everyone in the U.S. health care system – providers, vendors, payers, intermediaries – and, of course, patients.
Health care providers and related businesses face many questions as a result of the rule. Will you need new policies and procedures for medical records and patient consent? Must your computer system be revamped to comply with the new regulations? Should all contracts with third parties be rewritten? Will employees need to be trained? Do you need to hire a "privacy officer?" For many health care businesses, the answer to these questions is "yes," but as is often the case with federal regulations, the devil is in the details. Let’s briefly review the requirements of the regulations.
Who Is Covered
The final rule applies to all medical records and other identifiable information about individual patients held or disclosed by a "covered entity" in any form, whether communicated orally or in electronic or paper form. This is a significant change from the proposed regulations, which only covered electronically transmitted data.
Covered entities include health plans, health care clearinghouses and health care providers who conduct certain financial and administrative transactions through electronic media. Covered entities include doctors, hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs, ambulance companies, clinical laboratories and similar health care providers. Covered entities also may include pharmaceutical or medical device companies. The final rule also indirectly regulates the conduct of "business associates" of covered entities who use identifiable health information to assist covered entities in their operations (billing companies, for example).
Administrative Obligations
The final rule requires providers to establish and implement policies, procedures and enforcement activities that govern their use and disclosure of individually identifiable health information. For example, providers must:
- designate a privacy compliance officer with responsibility for developing privacy policies and procedures
- designate an officer to receive complaints and provide further information regarding the provider’s patient privacy notice materials
- provide training for all existing and future members of the provider’s workforce
- establish a complaint process for non-compliance with privacy regulation
- implement and enforce sanctions for violations of provider policies and procedures.
Patient Rights Obligations
A significant feature of the final rule is the panoply of patient rights imposing obligations on providers and other covered entities. These include patient notification requirements, obligations to obtain patient consent and authorization for disclosure, requirements permitting patient access to information, patient information correction procedures and requirements governing accounting of patient information disclosures. The final rule defines precisely what providers must include in each notice to patients, which varies depending on the type of disclosure. In addition, providers must:
- obtain patient consent before using or disclosing patient information for medical treatment, payment or health care operations except where there are substantial barriers to obtaining consent. The consent must inform the patient that protected information may be used to carry out treatment, payment or health care operations. The consent also must inform patients that they have the right to review a more extensive patient notice prior to signing the consent form.
- obtain a specific patient authorization prior to using or disclosing patient information for purposes other than medical treatment, payment or health care operations and for use or disclosure of psychotherapy notes.
HHS had initially proposed allowing routine disclosures without advance patient consent for treatment, payment and administrative operations, but the final rule requires informed patient consent for even these routine disclosures.
Use and Disclosure Obligations
The final rule defines the types of uses and disclosures that are permitted and required for individually identifiable health information. These provisions also establish the "minimum necessary" standard for disclosures of such information. Under the rule, providers:
- may disclose protected information (i) to patients, (ii) pursuant to a valid consent, (iii) pursuant to a valid authorization, or (iv) in certain other limited circumstances.
- must disclose protected information (i) to a patient upon request in certain circumstances or (ii) to HHS upon request for purposes of a compliance audit or investigation
- must adhere to the "minimum necessary" disclosure rule, except under certain limited circumstances. This means that when disclosing protected information, providers must make reasonable efforts to limit the disclosure to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The "minimum necessary" standard does not apply to provider disclosures to other providers for treatment purposes or to disclosures made to the patient or HHS.
Obligations for Contracts with Business Associates
The final rule also governs transactions between health care providers and their "business associates," defined as any person or entity that provides services to a health care provider related to claims processing or administration, data analysis or processing, utilization review, quality assurance, billing, benefit management, or any legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services activity. Covered entities, including providers, can be considered business associates when they perform business associate functions on behalf of other covered entities. The final rule does not directly regulate the conduct of business associates, but indirectly regulates business associate activities by requiring covered entities, such as health care providers, to obtain adequate assurances from their business associates that the business associates will comply with a defined set of health information use and disclosure requirements.
The mechanism for providing adequate assurance between covered entities and business associates is a written contract explicitly limiting business associate use and disclosure of individually identifiable health information. The regulations also impose security, inspection and reporting requirements on the business associate.
Significantly, contracts with business associates must ensure that subcontractors and agents to whom business associates provide protected information agree to the same conditions applicable to the business associate.
Special Rules Relating to Research
Providers and other covered entities that seek to use individually identifiable patient information for research related to treatment will have to comply with detailed authorization requirements. To use information for research purposes, providers must obtain:
- a patient authorization that complies with the rule, or alternatively
- a waiver of authorization from an Institutional Review Board or privacy board, pursuant to waiver criteria set forth in the rule including extensive documentation requirements.
Restrictions on Use of Information for Marketing Purposes
Providers and other covered entities also must adhere to strict rules governing marketing activities. As a general rule, a provider may not use or disclose protected health information absent a valid patient authorization.
Providers are not required to obtain a patient authorization, however, when making a communication to an individual that informs patients or enrollees about products that may benefit them, provided certain requirements are met. These permitted uses of patient information may include appointment reminders, newsletters or information about new products.
Nevertheless, a covered entity may not disclose patient information to third parties for marketing purposes without a valid authorization. Certain basic information may be used for fundraising without authorization.
Use and Disclosure of De-Identified Information
The rule provides standards for the "de-identification" of protected health information. De-identified information is not subject to the rule. The rule defines de-identified information as health information that (i) does not identify an individual and (ii) with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. The rule establishes two methods of determining that patient information is not individually identifiable information.
Conclusion
Providers and other covered entities have until February 26, 2003 to achieve full compliance with the final rule; however, providers must begin the extensive process of analyzing their processes and procedures now in order to implement operational and administrative changes by the effective date.
The penalties for violations are severe. Covered entities are subject to civil monetary penalties of up to $100 per incident and up to $25,000 per person per year per standard. Federal criminal liability for knowing and improper disclosure of information or for obtaining information under false pretenses carries sanctions of $50,000 and one year in prison. Liability for obtaining or disclosing protected health information with the intent to sell, transfer or use for commercial or personal gain or malicious harm is set at $250,000 and up to 10 years in prison.
Because the final rule is voluminous and detailed, this Alert only summarizes some of the most significant terms applicable to health care providers. The specific provisions applicable to providers and other entities will vary depending on the extent to which their business activities relate to individually identifiable health information.