- Get Ready for HIPAA!
- November 7, 2003
- Law Firm: Briggs and Morgan, Professional Association - St. Paul Office
Is your business prepared for a visit from a four ton hippopotamus, arriving next April and staying indefinitely?
What kind of preparations will assure that you can properly feed and care for a hippo while also protecting your business from the destruction a guest of this magnitude might cause?
While you do not need to rush out and hire a contractor to reinforce your floor with steel beams, many businesses and employers need to stop and consider what preparations they need to make now in order to prepare for the April 14, 2003 compliance date (April 14, 2004 for small group health plans) for the Privacy Rule under HIPAA, or the Health Insurance Portability and Accountability Act of 1996. The U.S. Department of Health and Human Services (HHS) released final changes to the privacy regulations which were published in the Federal Register on August 14, 2002, with a promise for more informal compliance guidance to be issued shortly.
Covered entities (health care providers, health care clearinghouses, and group health plans) that conduct certain electronic transactions, such as claims submissions, must meet each of HIPAA's dozens of different privacy safeguards and recordkeeping requirements that are intended to protect patient confidentiality. The HIPAA Privacy Rule protects Protected Health Information (PHI), which is any individually identifiable health information that is created by or received from a health care provider, health plan, or health care clearinghouse and relates to the past, present, or future physical or mental health of an individual or payment for health services. HIPAA also provides other requirements which are not addressed in this article. It is especially noteworthy that covered entities using electronic code sets have until October 16, 2002 to file for an extension for the code set standards, and compliance will be required by October 16, 2003. Without the extension, the compliance date is October 16, 2002.
Group Health Plans Sponsored by Employers
An employer which sponsors a group health plan is a covered entity and may have to comply with various HIPAA requirements as the plan sponsor of the group health plan (including a health care reimbursement account plan). HIPAA compliance is not required if the employer's group health plan is fully insured and the employer's access and use of individually identifiable health information is limited to participant data used for enrollment and disenrollment purposes and/or summary information for purposes of underwriting and determining whether to amend or terminate the group health plan.
De-identified summary health information is not PHI and thus forces no employer/plan sponsor compliance. However, if the employer as plan sponsor has access to PHI from the plan, has the responsibility for ruling on benefit appeals under the plan, or otherwise has access to PHI, the group health plan will need to be amended for HIPAA to comply with the Privacy Rule, and the employer as plan sponsor will need to certify that they will only use the PHI that they receive in accordance with the Privacy Rule. Self-funded group health plans which are administered by the employer (including FSAs and medical reimbursement plans) will need to adopt many of the HIPAA administrative and data security requirements imposed on covered entities, including clarifying job descriptions and company policies to designate which employees have access to PHI for purposes of operating the group health plan and imposing firewalls to prevent this access to PHI from being used for other purposes, such as decisions regarding employment status. Many smaller employers (who may have fully funded health plans) are currently making arrangements for outside administration and claims and appeals processing of their health care flexible spending accounts to reduce HIPAA compliance duties.
Not all individually identifiable health information that an employer receives would be considered PHI subject to the Privacy Rule, only that created by or received from a covered entity. For example, information that a supervisor receives about an employee's health related absence or FMLA leave status is not PHI unless it is information received from the group health plan or it is being used for health plan operations. Disability plans and workers' compensation arrangements are not covered entities, so information received for these purposes is not subject to the HIPAA Privacy Rule unless or until it is later used for purposes of administering the group health plan. The implications of this rule on integrated disability/health plan arrangements are complex.
Use and Disclosure of PHI by a Covered Entity
Covered entities may not use or disclose any PHI except for treatment, payment, or health care operations without the authorization of the patient unless the Privacy Rule allows or requires such disclosure, for example the mandatory reporting of child abuse. The final regulations no longer require a covered entity to obtain a patient's consent prior to treatment, payment, or health care operations, and have instead substituted a requirement that direct health care providers make a "good faith effort" to obtain a written acknowledgement of receipt of the provider's Notice of Privacy Practices. Health plans now have the discretion to obtain this acknowledgement, but it is not required. The final amendments make the written consent optional for all covered entities, including providers with direct treatment relationships, but "more stringent" state laws will still apply, such as the Minnesota law requiring a patient's written consent prior to the disclosure of health information to unrelated entities.
Patients must sign an authorization prior to the use or disclosure of PHI for any purpose other than treatment, payment, and health care operations (unless the disclosure is otherwise provided for in the Privacy Rule, which primarily addresses public safety disclosures). There are special more restrictive rules for authorizations for use of the PHI regarding the release of psychotherapy notes, as well as special rules which apply to authorizations for use of PHI for research or marketing. Generally the new changes have simplified the authorization requirements so that an effective authorization must have the following:
- Description of the PHI to be disclosed
- Identity of the user and/or sender
- Identity of the desired recipient
- Purpose of the use or disclosure
- An expiration date or event for the authorization
- An explanation that the authorization can be revoked
- A description of the consequences (if any) should the patient refuse to sign, and
- The patient's signature and date
In many cases the changed regulations would allow authorizations for multiple purposes of uses or releases to be combined into a single authorization form.
While HIPAA applies directly only to covered entities (health care providers, health plans, and health care clearinghouses), it also requires entities to address privacy issues with their "business associates." Any other entity which receives or has access to PHI from a covered entity must incorporate mandatory contractual provisions requiring business associates to maintain safeguards against unauthorized uses or disclosures. In some instances the covered entity may be liable for the privacy violations by business associates. If no contract currently exists between the covered entity and the business associate, a contract which includes HIPAA Privacy Rule provisions must be entered into by April 14, 2003. Covered entities which already have a current written contract with their business associates have until the earlier of the expiration of the term of their current contract or April 14, 2004.
Covered entities must implement a number of administrative requirements. These include naming a privacy officer, creating a compliance process, training the workforce regarding the security of PHI, implementing policies to assure that the information disclosed (in most cases, but not for treatment) is limited to the minimum necessary for the purpose of the disclosure and must mitigate unauthorized uses and disclosures, creating sanctions against those who fail to comply with the Privacy Rule, maintaining and retaining documents regarding the medical record, enabling patients to be able to request a copy of their medical records, implementing a process for patients to submit proposed amendments to their medical record (with a review and denial procedure for the covered entity to follow), and keeping an accounting of the disclosures of PHI to be released upon request by the patient or the HHS. The administrative requirements of HIPAA are complex and will require time and resources to implement. Here are some first steps towards HIPAA compliance:
- Designate a Privacy Officer with the authority and obligation to ensure compliance with the HIPAA Privacy Rule by April 14, 2003
- Review current data collection and disclosure practices and modify as needed
- Identify employees with access to PHI
- Draft HIPAA-compliant policies and procedures for handling individually identifiable health data and adjust job descriptions of affected employees to include HIPAA compliance responsibilities
- Ensure that only staff needing to look at data about an individual have access to the PHI, that PHI received or maintained on individuals is only shared with others who need to have access to this information, and that the minimum necessary data is disclosed when disclosure is warranted (except for treatment purposes)
- Develop a tracking system to allow patients to receive an accounting of the disclosures of their PHI (except for uses for payment, treatment, or health care operations)
- Implement procedures for patients to be able to access, and when appropriate, amend their health data
- Verify that all business associates are also in compliance with the HIPAA Privacy Rule by incorporating HIPAA provisions into contracts and agreements
- Provide a Notice of Privacy Practices to all patients concerning their rights under HIPAA
- Develop due process protections, including a complaints process for patients and sanctions for non-compliance
HIPAA violations are subject to both civil and criminal penalties, so it is important that the Privacy Officer be someone with the authority and resources to assure that the company will meet the rapidly approaching compliance date. Whether you are an employer sponsoring a group health plan wondering what (if any) steps you must take to assure HIPAA compliance or a health care provider attempting to apply the newly revised hybrid entities rules for your various business groups, professional assistance with this tricky compliance task is highly recommended. Perhaps some dancing lessons are in order to prevent a four ton HIPAA from stepping on your toes next April!