In 1996, Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA is a complex, multifaceted piece of legislation, affecting the delivery of healthcare. The primary purpose of HIPAA is to ensure employees who leave their jobs do not lose their eligibility for health insurance. This portion of the legislation is already in effect. Another major piece of the legislation, Title 2, deals with administrative simplification of the U.S. healthcare system. Title 2 is so complex, however, that an entire industry has developed solely to implement, consult and interpret these HIPAA “simplifications!”
One key provision in Title 2 calls for uniform nationwide standards for maintaining the privacy of health-related information. Responsibility for developing those standards was delegated to the Department of Health and Human Services (“HHS”). The result of this broad grant of authority is the HIPAA Privacy Rule, put forth on April 13, 2001, with a compliance deadline of April 14, 2003. This article provides a brief overview of how the HIPAA Privacy Rule protects and affects individuals, employers and healthcare-related entities.
INFORMATION COVERED BY THE HIPAA PRIVACY RULE
HIPAA requires covered entities to develop and implement policies and procedures to maintain the confidentiality of “protected health information” (PHI). PHI is identifiable individual information, whether oral or recorded in any format, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse. PHI includes all information relating to: 1) the past, present, or future physical or mental health condition of an individual; 2) the provision of healthcare to an individual; or, 3) the past, present, or future payment for an individual’s healthcare. Information is “identifiable” if it contains data that either identifies or could reasonably identify a particular individual. The Privacy Rule contains eighteen identifiers: names, addresses, birth dates, telephone numbers, fax numbers, e-mail addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers; vehicle identifiers, device identifiers, URLs, IP addresses, finger/voice prints, full face photos and unique identifying numbers.
WHO MUST COMPLY WITH THE PRIVACY RULE
HIPAA’s Privacy Rule applies to “covered entities” – healthcare providers, health plans and healthcare clearinghouses – that transmit at least some healthcare information in an electronic format. But it applies to all provider-maintained information, not just the subset of information that is electronically transmitted.
Healthcare providers include hospitals, clinics, doctors, home health agencies, developmental disability and drug/alcohol treatment programs, physical and occupational therapy providers, hospices, clinical social workers and psychologists, skilled nursing and continuing care facilities, and any other person or entity who furnishes, bills, or is paid for healthcare in the normal course of business.
A health plan is any individual or group that provides or pays the cost of medical care. This includes health insurers, long-term care insurers, HMOs, Medicare, Medicaid and group health plans, as well as other private and government health plans.
A healthcare clearinghouse is an entity that processes or facilitates the processing of health information of another entity. Healthcare clearinghouses typically include billing services, repricing companies, community health management organizations, and “value-added” networks.
BUSINESS ASSOCIATES
The Privacy Rule also affects employers that sponsor health insurance programs for their employees, and individuals and organizations that are “business associates” of a covered entity.
Business associates are persons or entities that provide services on behalf of the organization, but are not themselves covered under the Privacy Rule. Business associates include individuals or organizations that provide services such as claims processing or administration, data analysis, quality assurance, utilization review and billing. Entities that provide legal, accounting, actuarial, consulting, accreditation and financial services are also within the definition when performance of their services involves the disclosure of PHI from the covered entity. A covered entity can be a business associate of another covered entity.
A covered entity that uses business associates must have a Business Associate Agreement in place with each associate. The agreement must comply with all Privacy Rule requirements. Because the administrative burdens associated with complying with the Business Associate Agreement requirement were onerous on covered entities, HHS extended the compliance deadline for having these agreements in place. The new deadline is the earlier of April 14, 2004, or the date on which the contract between the covered entity and the business associate is renewed or modified. The absence of the written Business Associate Agreement does not, however, change the covered entity’s responsibility for ensuring an individual’s rights, with respect to PHI held by a business associate, are protected as required by the Privacy Rule.
INDIVIDUAL RIGHTS UNDER HIPAA
The HIPAA Privacy Rule is designed to assure individuals that their healthcare information will not be used or disclosed without their permission. The Rule gives individuals distinct rights with respect to their protected medical information, including the right to:
a. receive a notice of privacy practices of a covered entity creating or receiving their PHI;
b. access or receive a copy of their PHI (a reasonable fee may be charged);
c. request amendments to their PHI;
d. receive a written explanation when a request to access or amend their PHI is denied;
e. request restrictions on certain uses and disclosure of their PHI; and,
f. request an accounting of where, and for what purposes, their PHI was disclosed.
THE EFFECT OF HIPAA ON EMPLOYEES
Since health plans are covered entities under HIPAA, the Privacy Rule also reaches the plan sponsors. Employers who offer healthcare benefits through a group health plan are plan sponsors. A group health plan is defined as any ERISA plan to the extent it provides medical care to employees through insurance, reimbursement, or directly (if the group has 50-plus participants or is administered by a third party).
HIPAA treats the group health plan, and the plan sponsor, as separate entities. The obligations in the Rule rest primarily on the health plan. So, if a plan sponsor does not receive any PHI about its employees, and the plan is fully insured by another entity, the sponsor can rely on its insurer or HMO to comply with HIPAA requirements. However, if the group plan is self-insured, in whole or in part, or the plan sponsor receives or creates PHI about the enrolled individuals, the plan sponsor is responsible for issuing a “notice of privacy practices” to its employees. Employers who sponsor self-administered group health plans or cafeteria plans particularly need to become aware of and comply with the Privacy Rule’s requirements.
Insurers or HMOs that provide group health plan coverage for plan sponsors must ensure that the plan documents restrict use and disclosure of PHI by the sponsor.
The plan sponsor must implement the commitments made to comply with the Privacy Rule. In particular, the sponsor may not use PHI about an employee in making employment-related decisions. A plan sponsor must also identify the individuals within the organization that have access to or use PHI, and train them on the Privacy Rule and its restrictions. Position descriptions may need to be revised to reflect that access to PHI within the company is limited to those positions. Finally, if a plan sponsor is also the plan administrator, and handles claims and payments, it may be necessary to adopt administrative, physical and technical safeguards to protect PHI from unauthorized disclosure.
INFORMATION FOR COVERED ENTITIES
To comply with the Privacy Rule’s requirements, a covered entity must:
- Provide patients with the organization’s notice of privacy practices, make a good faith effort to obtain a signed acknowledgment, and document unsuccessful attempts to do so;
- Obtain a detailed, written specific authorization from patients to use and disclose information in response to any “non-routine” disclosure request (those other than disclosures either needed for treatment, payment, and healthcare operations, or required by law);
- Permit patients to request 1) access their PHI, 2) amendments of their PHI, and 3) an accounting of non-routine uses and disclosures of their PHI for up to 6 years;
- Obtain signed “business associate” agreements from agents and organizations that carry out work of the organization, or work on the organization’s behalf, ensuring they will comply with HIPAA;
- Designate a privacy officer and contact person who is responsible for the organization’s privacy policies, procedures and inquiries from patients;
- Train all staff on proper privacy practices, and alert them to the disciplinary action(s) that will be taken against them if they violate HIPAA; and,
- Develop and implement appropriate physical, procedural and electronic safeguards to prevent improper use or disclosure of PHI.
RESPONDING TO REQUESTS FOR “NON-ROUTINE” PHI DISCLOSURES
When information is sought to facilitate HIPAA’s permissible disclosures (treatment, payment, or healthcare operations), the information can be released without penalty. When a party issuing the subpoena or discovery request submits a signed authorization form, or permission to disclose, from the patient whose information is being sought, then it is acceptable to release the information. If a signed Business Associate Agreement with the requesting party is on file, the organization can respond to the request without seeking additional documentation.
If none of the above conditions are met, the subpoena or discovery request must be accompanied by one of the following types of additional written documentation before responding to the request:
- proof that the requesting party attempted to notify the patient whose information they are seeking of the request in writing. The notice must give the patient enough information about the legal dispute to allow the patient to object to the request in court;
- proof the parties to the legal dispute have agreed to a qualified protective order and have presented it to the appropriate legal authority; or,
- proof that the party seeking the PHI requested a qualified protective order from the court overseeing the legal proceeding.
Any of these options constitute satisfactory assurance under HIPAA and allow the organization to release the requested information without penalty. If the organization receives a subpoena or discovery request without any additional paperwork, it must not release information until one of the acceptable required forms of additional documentation is provided.
For the complete text of the HIPAA Privacy Rule, see www.hhs.gov/ocr/hipaa/finalreg.html.
