By Gregory J. Naclerio,
and Jay B. Silverman
This article will describe the HIPAA Standards for privacy of individually identifiable health information (the “Privacy Rule”). It will (1) explain HIPAA noting how the Privacy Rule fits within the general HIPAA regulatory scheme, (2) identify who must comply with the Privacy Rule, (3) outline what information is protected, and (4) set forth the penalties for non-compliance. Finally, the article will suggest action steps that affected entities should take to prepare for the April 14, 2003 deadline for compliance with the Privacy Rule.
HIPAA’s Purposes – HIPAA (otherwise known as “the Kennedy-Kassebaum bill”) was enacted by Congress in 1996 as part a broad Congressional attempt at incremental health care reform. Among its purposes, HIPAA (1) provides portability and continuity of health insurance coverage for workers who change jobs, (2) establishes various programs to combat fraud and abuse in health insurance and health care delivery, and (3) requires “administrative simplification” within the health care system.
Administrative Simplification – The administrative simplification provisions of HIPAA are designed to improve the efficiency and effectiveness of the health care system by encouraging the establishment of uniform standards for the electronic transmission of certain health care information while protecting confidential information from inappropriate access, disclosure and use.
Privacy Rule – On December 28, 2000, the Secretary of the United States Department of Health and Human Services (HHS) published in the Federal Register the Privacy Rule, which is the second of nine administrative simplification standards that HHS has released in final form. In addition to the Privacy Rule, the administrative simplification standards are to address transaction coding, format and content for health care transactions; national identifier numbers for patients, health care providers, health plans and employers; physical and electronic data security and enforcement. The Privacy Rule creates the first comprehensive national standards concerning (1) the use and disclosure of protected health information and (2) patient rights to access, amend and receive accounting of the disclosures of such information.
Covered Entities – These include health plans, health care clearinghouses and health care providers who conduct certain electronic financial and administrative transactions. Health care providers include hospitals, nursing homes, outpatient facilities, diagnostic and treatment centers, physicians, dentists and chiropractors.
Protected Health Information – The Privacy Rule covers “protected health information” (PHI) in any form that is covered or received by a covered entity. PHI is broadly defined as oral or records information relating to past, present or future physical or mental health of an individual, the provision of health care to the individual or payment for health care.
Patient’s Right to Inspect and Copy Health Information – The Privacy Rule (1) establishes a new federal legal right for patients to see and obtain a copy of their own PHI, (2) establishes deadlines for covered entities to respond to requests for access, and (3) creates procedures for reviewing denials of those requests.
“Use” and “Disclosure” of PHI – The Privacy Rule governs the “use” and “disclosure” of PHI. PHI is “used” when it is shared, examined, applied or analyzed within a covered entity that maintains the information, and is “disclosed” when it is released, transferred, made accessible, or otherwise divulged outside the entity holding the information.
Business Associates – Business associates are companies and consultants that perform functions for health plans and providers such as attorneys, accountants, billing companies, collection agencies, computer specialties and health care consultants. While business associates are not directly covered by the Privacy Rule, the rule establishes specific conditions concerning when and how covered entities may share information with their business associates.
Consent and Authorization – Except where the Privacy Rule specifically requires or permits, covered entities must obtain written permission from patients for the use and disclosure of PHI. There are two types of permission that are used to allow for the disclosure of PHI (1) consent and (2) authorization. A general consent is required for use or disclosure of information for treatment, payment and the health care provider’s own health care operations. Authorization (which can be described as more specific written permission) is required where a patient’s PHI is to be used or disclosed for specific purposes other than treatment, payment, or health care operations.
Psychotherapy Notes – The Privacy Rule affords special treatment and heightened protection for psychotherapy notes. For most purposes, a covered entity may not disclose information contained in psychotherapy notes without a more detailed voluntary authorization specifying who is authorized to receive the information and including an expiration date or event.
Administrative Requirements – Covered entities must provide individuals with a written notice describing the entity’s privacy practices. Health plans are required to give notice at enrollment and to notify individuals every three years that the privacy notice is available. Health care providers and health plans must have a notice posted on the premises. Covered entities must have appropriate administrative, technical and physical safeguards in place to protect the privacy of PHI, and reasonably safeguard such information from intentional or unintentional use or disclosure. Covered entities must train all members of its work force on the policies and procedures regarding PHI. New members of the work force must be trained within a reasonable time. Covered entities must designate a Privacy Officer for the development and implementation of its policies and procedures. Patients have the right to receive an accounting of disclosures of their protected PHI created by the covered entity during the six years prior to the date that the patient requests the accounting.
Enforcement and Penalties – Individuals do not have a private right of action. The HHS Office of Civil Rights will enforce the Privacy Rule. HIPAA imposes substantial civil monetary penalties and criminal penalties for covered entities that are non-compliant. Criminal penalties include, for misdemeanor violations, imprisonment of up to one year or a fine of $50,000 or both. More serious penalties apply where a covered entity’s actions rise to a felony. For felony violations, criminal penalties include (1) a maximum penalty of $100,000 or 4 years in prison or both where a covered entity obtains protected health information under false pretenses or (2) a fine of up to $250,000 or up to 10 years imprisonment or both where protected health information is obtained with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.
Preemption – The Privacy Rule establishes a uniform floor for protecting the privacy of health information. Existing or future state laws related to the privacy of health information that are more stringent than federal law will remain in effect, even if they are contrary to the federal regulation.
HHS Guidance – On July 6, 2001, HHS issued its first guidance to address questions and concerns regarding the Privacy Rule. The guidance provides some practical guidance on interpreting certain key provisions of the regulations. Specifically, among the clarifications, HHS indicated that (1) providers are not necessarily required to redesign the physical layout of their facility and should evaluate whether certain adjustments are necessary to minimize access, such as isolating and locking file cabinets or record rooms or providing additional security such as passwords on computers maintaining PHI and (2) physicians may, using the one-time consent obtained from the patient, send an appointment reminder to the patient, but would need a specific authorization from the patient to send his/her name or address. In addition, HHS has acknowledged that certain provisions of the Privacy Rule would require amendments to avoid substantial inconvenience. For example, HHS expects to propose changes in the following areas: (1) prescriptions so as to permit pharmacies to fill prescriptions telephoned in by the patient’s doctor prior to the pharmacist obtaining the patient’s written consent, (2) referral appointments so as to permit direct treatment providers receiving first time patient referral to schedule appointments, surgery or other procedures without obtaining the patient’s signed consent, and (3) sign-in sheets so as to permit the use of sign-in sheets at physician’s offices.
Recommended Action Steps – This article provides only a glimpse of some of the more significant provisions of the Privacy Rule. The enormity of the Privacy Rule will compel covered entities to devote substantial time and resources to education and compliance. Health care providers who transmit patient information electronically, whether for billing purposes or otherwise, are “covered entities”. Such entities must begin to determine how they intend to comply. While compliance seems to be a daunting task, our law firm has considered strategies for addressing HIPAA Privacy Rule requirements and can facilitate implementation of this mandatory compliance program.
The following is a list of suggested action steps which covered entities should take to become compliant with the Privacy Rule. A business which handles health information should first assess whether or not it is a covered entity. If the business is a covered entity, it should:
Create a process by which individuals may access, amend, or correct their health information.
Develop a “minimum necessary” standard. Begin to consider what amount of information is reasonably necessary when the entity uses and discloses health information for particular purposes or pursuant to particular requests.
Consider whether de-identification of protected health information is practical, and where practical, begin to de-identify health information. De-identified health information is not protected by the Privacy Rule. Have an IT expert evaluate computer systems, software, and other technology that facilitates transmission, receipt or storage of health information to develop strategies for complying with the HIPAA electronic transaction/code regulations and the Privacy Rule.
Hire staff or identify personnel who will be responsible for implementation of the Privacy Rule.
Begin to draft consents and authorizations that comply with the Privacy Rule.
Identify any potential “business associates”. Ensure that contracts between the covered entity and business associates contain language that puts business associates on notice that their use and disclosure of health information must comply with the use and disclosure provisions of the Privacy Rule. (Business associates should become familiar with the use and disclosure provisions of the Privacy Rule and begin to consider compliance so that they do not breach the new terms that covered entities will seek to add to contracts with them.)
Create a process whereby individuals can complain about the entity’s compliance with the Privacy Rule.
Create an accounting procedure for tracking the entity’s uses and disclosures of protected health information.
Create written policies and procedures whereby the entity will obtain appropriate patient consents and authorizations.
Consider the fiscal implications of compliance with the Privacy Rule.
Where feasible, involve counsel with HIPAA regulation expertise in the compliance process.
Gregory Naclerio, formally the Director of the Long Island Regional Office of the Deputy Attorney General for Medicaid Fraud Control, is a Senior Partner and Chair of the Health Care Regulatory Department of Ruskin Moscou Faltischek, P.C. He can be reached at (516) 663-6633 or gnaclerio@rmfpc.com.
Jay Silverman, formally the Assistant General Counsel of the Medical Society of the State of New York, is a Senior Associate in the firm’s Health Law Department. He was recently appointed to the New York State Health Plan Association’s Statewide Multi-Industry Health Insurance Portability and Accountability Act (HIPAA) Coalition. In addition, he serves on the Board of Advisors for Brownstone Publishers national newsletter HIPAA Privacy Staff Trainer. He can be reached at (516) 663-6606 or jsilverman@rmfpc.com.