- HIPAA Privacy Rule Goes Into Effect On April 14
- September 24, 2003
- Law Firm: Plunkett & Cooney, P.C. - Detroit Office
The initials HIPAA stand for the Health Insurance Portability and Accountability Act. It is a federal law passed by Congress and signed into law by President Clinton in 1996.
The HIPAA law does a number of things: sets federal standards for availability and portability of health insurance; improves consumer incentives for purchase of long-term care insurance; helps terminally and chronically ill people obtain insurance; strengthens federal regulation of fraud and abuse in the health care field; and mandates national standards for the electronic transmission of patient medical information.
In this discussion, we will focus our attention on the last item in the list above: the development of federal standards for electronic transmission of patient medical information.
Why are federal standards necessary? The computerization of health care records has created new challenges to the right of Americans to have their health records kept confidential.
Computerized records are much more easily accessible than paper records because computer files can be read remotely and anonymously. If the Pentagon's electronic records can be accessed by hackers, as they have been, the computer files of a health insurance company, a hospital or a doctor's office surely can be penetrated as well.
Electronic information is also vulnerable while in transit. It is widely known that e-mail and other forms of electronic transmission can be easily intercepted and read by unauthorized persons. Often, no record of that interception is made.
Another important factor is that with computers, medical information can much more easily be compiled and manipulated. For example, computers make it possible for a health care provider, an insurance company or an HMO to make a list of people who receive prescriptions for certain drugs (e.g., Viagra, HIV/AIDS-related drugs). The same kinds of lists can be made for various clinical procedures, hospital inpatient DRG's, medical devices, etc. This information can be sold or otherwise improperly released.
In the information age, the threat to the privacy of medical records is greater than ever. From a legal standpoint, health care-related entities have considerable exposure. If they fail to appropriately safeguard confidential medical information, they can be held liable. State and federal laws, provider contracts, and accreditation and ethical standards already set forth an obligation to protect patient privacy. Now, the HIPAA privacy regulations create significant new civil and criminal penalties for failure to protect the privacy of medical records.
The HIPAA rules on protecting the privacy of medical information are in a section of the law called "Administrative Simplification." That term has prompted a great deal of derisive laughter. However, some rules will actually simplify some issues. The law requires the United States Department of Health and Human Services (HHS) to adopt uniform standards for electronic transactions in the health care field. These standards, called the "Transaction Standards and Code Sets," have been issued and are in final form. The rules require the use of standard codes, forms and formats for all health care-related transactions that are performed electronically.
Ultimately, the transactions and code sets standards should help make billing and claim payments quicker and easier. In the meantime, there will be a considerable expense involved in switching over to standard codes, forms and formats. The costs for new hardware, software and staff training can be substantial.
The HIPAA law also requires HHS to set security standards for the electronic transmission of health care information. The HIPAA "Security Rule" was issued in final form on Feb. 20, 2003. These standards are somewhat technical but seem, to most experts, to basically represent a list of best practices for the industry. We will not discuss the security rule in detail here. Suffice it to say that the rule provides that health care-related entities may not store or transmit health information about individuals electronically without making sure that appropriate security precautions have been taken.
The portion of the administrative simplification section of the HIPAA law that is currently causing the most controversy is the privacy rule. These standards do not result in simplification. The privacy rule has been issued in final form and will become fully binding on April 14, 2003. There is some pressure for Congress to pass legislation modifying the privacy rule. While Congress could act, most observers consider this unlikely.
The HIPAA privacy rule covers virtually any data about the health of an individual who is individually identifiable. We refer to such information as "protected health information" or PHI. PHI includes medical chart information as well as bills, claims, prescriptions, encounter data, lab results, medical opinions and even the fact that a patient had an appointment with a health care provider. For all practical purposes, all health-related consumer-specific data is covered and its privacy must be protected.
Virtually all health care providers, HMO's and health insurers will be required to comply with the privacy rule. Those required to comply are referred to in the rule as "covered entities." Organizations are "covered entities" if they electronically store or transmit PHI or if they employ a billing company or clearinghouse, which electronically stores or transmits PHI on their behalf. "Electronic" means information stored on a computer or transmitted by e-mail or over the Internet, but it does not include telephone and facsimile transmissions.
Is non-compliance an option? No. As a practical matter, virtually all providers will have to comply, because entities with which they deal will require compliance. All hospitals, HMOs and health insurance companies are certainly covered entities. Accreditation, auditing and licensing agencies with whom covered entities deal will compel them to comply as a condition of doing business. The most meaningful penalties for non-compliance by providers will be loss or disruption of relationships with other covered entities.
The privacy rule also provides that the federal government can assess both civil and criminal penalties for non-compliance: The civil penalties are $100 per violation. Keep in mind that violations can number in the thousands per year if a large entity has an improper procedure in place. The maximum penalty is $25,000 per regulation violated per year. This could cost a lot of money if an entity habitually violates several HIPAA privacy regulations.
For intentional violations, there are criminal penalties, which can include fines of up to $250,000, jail time up to 10 years, or both. Intentional violations would include offenses such as selling PHI to others or deliberately using such information for an inappropriate or commercial purpose.
There are no exemptions for small health care practices or small insurers. The only way to be exempt is not to use electronic means to store or transmit protected health information. This is certainly not practical in the long run, and probably not practical even in the short run.
In the privacy rule, there is a base of common sense, with an overlay of bureaucratic overkill. What should covered entities do? First decide what your attitude toward the privacy rule will be. Will you decide that the initials HIPAA stand for Here Is Pain And Anguish? Partly true, but grumbling won't help. Or, will you look at HIPAA as How Intelligent People Act Anyway? This is also partly true, and perhaps a better way to look at compliance.
There is a PHI privacy problem. The government has responded. Here are the steps you need to take:
- Become familiar with the requirements of the privacy rule.
- Appoint privacy officer. This person will be responsible to see that your organization complies with the privacy rule.
- Take an inventory of how PHI is gathered, stored and transmitted in your organization. Take special note of practices that need improvement.
- Have your attorney do an analysis of how applicable state law may differ from the privacy rule requirements. This is necessary because, in some cases, state law is stricter than the privacy rule and the rule provides that generally the stricter of the two requirements must be complied with.
- Prepare a "Notice of Privacy Practices" and distribute it to all persons whose PHI you gather and store. You will need to work with legal counsel to develop an appropriate form. The notice must be posted at service delivery sites and on your website.
- Develop a set of appropriate policies and procedures regarding privacy of PHI.
- Train your staff in the requirements of the privacy rule.
- Prepare a HIPAA-compliant form for authorization for release of medical records. Here again you will need the help of an attorney.
- Enter into privacy protection agreements with all of your "business associates" who have access to PHI for which you are responsible. The term "business associate" does not include your employees or treatment providers, but it does include vendors with whom you share individually identifiable health information. Some examples of business associates are lawyers, accountants and consultants, if you share patient-specific health care information with them. Your attorney can draft this document for you.
- Establish a privacy complaint process and establish a sanctions process to discipline employees who violate patient privacy rights.
- Set up a system for insureds/patients to request that you communicate medical information to them by alternative means (e.g., always by mail, never by telephone, etc.). You must comply with such a request if the request is "reasonable."
- Set up procedures for patients to review their own medical information, if they so request. The privacy rule gives them that right.
- Develop a procedure for individuals to request changes in their medical records. In general, you are not required to accept such changes, unless the changes would make the medical record more accurate. However, you must consider such requests.
- Develop a system to give individuals, upon request, an accounting of your organization's disclosures of their PHI. You don't have to give an accounting of disclosures made in the course of treatment, payment or normal business operations, but you do have to give patients, upon request, a list of the disclosures of their PHI, which you have made for such purposes as research, responses to subpoenas or other non-routine purposes.