- HIPAA and the New Privacy Regulations
- June 27, 2003
- Law Firm: Buckingham, Doolittle & Burroughs, LLP - Columbus Office
For some period of time now the health care industry has been all abuzz about HIPAA and newly promulgated privacy regulations. One might ask, "Why do I care and how will it affect me?" In the course of this article and the next we will attempt to answer those questions, but a little history may be in order.
On August 21, 1996 Congress passed what was labeled the Health Insurance Portability and Accountability Act ("HIPAA"), otherwise known as "Kennedy-Kassenbaum Bill." Much of the Act was aimed at facilitating the transfer, or portability if you will, and the continuity of health care benefits between employers. It also addressed access to and the confidentiality of medical information and the need to improve the processes by which we transmit information among health care providers and affiliated organizations working within the health care arena. The Act gave Congress until August 21, 1999 to enact legislation to protect the privacy of health care records. It also empowered the Secretary of Health and Human Services ("DHHS") now the Centers for Medicare and Medicaid Services ("CMS") to promulgate privacy regulations if Congress failed to meet the deadline.
On November 3, 1999 DHHS published proposed federal rules for medical records privacy entitled "Standards for Privacy of Individually Identifiable Health Information." In response, and to give you a feel for the controversial nature of the rules, DHHS received more than 52,000 comments. On December 28, 2000, DHHS issued the final privacy regulations for health care information consisting of more than 100 pages in the Federal Register and accompanied by more than 1,400 pages of commentary. The regulations cover health plans, health care clearing houses and health care providers, including optometrists, that conduct financial and administrative transactions relating to their health care services electronically; that is, electronic billing. The regulations became effective on April 14, 2001 with full implementation scheduled for April 14, 2003. On July 6, 2001 the Bush Administration issued clarification of the rules and promised to revise some of the rules to provide a greater degree of "common sense." On July 16, 2001 the South Carolina Medical Society along with the Louisiana Medical Society and its constituent physicians filed a Declaratory Judgment action in federal court seeking to have the HIPAA privacy regulations declared unconstitutional.
With that background, it is clear that the privacy rules will affect each and every optometry practice operating in the State of Ohio and, for that matter nationally, who electronically transmit data, either from their own offices or through a billing company, in connection with the claim for payment for optometry services. The privacy rules protect "individually identifiable health care information," meaning information about an individual's health condition, treatment or payment that identifies the individual. The privacy rules call this information "protected health care information" or in short form "PHI." PHI is protected no matter how it is created or stored -- on paper, in electronic media, on film, tape and, arguably, even in the minds of the optometrist or staff. The privacy rules govern both internal use of the PHI and the external disclosure of PHI.
The privacy rules are also applicable to the "business associates" of the optometry practice. Business associates are defined as those persons or entities who perform or assist the practice in performing a function or providing a service to the practice that involves the use or disclosure of individually identifiable health information. Examples of business associate services can include legal, actuarial, accounting, consulting, management, administrative and financial services. A practice may disclose PHI to a business associate and may allow the business associate to create or receive protected health information if the practice obtains, by written contract, "satisfactory assurances" that the business associate will safeguard the protected information. While not directly responsible for the business associates' compliance with the privacy rules, a practice may be responsible for violations of its business associates if it fails after reasonable measures to assure that the business associate is not distributing PHI inappropriately.
The fundamental tenant of the privacy rules is that PHI cannot be used, disclosed, released, transferred, divulged or made accessible, to outside entities unless the patient or the person acting on the patient's behalf authorizes or consents to the disclosure except when disclosure is specifically required or permitted under the HIPAA regulations. According to DHHS, the intent of the regulations is to achieve a balance between accommodating the practical use of individually identifiable health information and rendering maximum privacy protection of that information.
Under the privacy rules, PHI can be used or disclosed in only one of four ways:
1. Pursuant to a written patient "consent form" for treatment, payment and the covered entities' own health care operations. The health care entities' operations would include internal billing records, peer review, utilization review, etc. A covered health care provider may condition the provision of treatment on the patient's signing a consent form. A consent form is not required in an emergency situation. A consent for use or disclosure may be combined with other types of legal permission, for example an informed consent form or an assignment of benefits, if the consent is visually separated from, and contains separate signature lines for the consent to disclose form. The individual signing the consent form may revoke it at any time, except to the extent that the covered entity already acted in reliance upon the consent. The practice must document and retain the signed consent.
2. Pursuant to a written "authorization" form, for purposes other than treatment, payment or the covered entity's own health care operations. A covered health care provider may not condition the provision of treatment on the patient signing an authorization. The covered health care entity, however, can condition the provision of research related treatment on the person signing an authorization.
3. PHI may be released pursuant to a patient's oral permission in a few very specific circumstances.
4. PHI may be released without the patient's permission, either oral or written, for an overriding public health reason. Examples include quality assurance activities, public health use, emergencies, limited law enforcement activities, reporting of child abuse or the reporting of infectious disease. The limited law enforcement activities would include responding to court orders and subpoenas issued by an administrative or judicial body.
In addition to the consent and authorization forms required by the privacy regulations, HIPAA creates rights that are intended to enable patients to understand and control how their PHI is to be used and disclosed. Patients have a right to receive a notice that describes the covered entity's privacy practices and protections. Health providers and health care plans, for example, must give enrollees a clear explanation of how they can use, keep and disclose PHI. The notice must inform the patient in plain language how they can file complaints, either with the covered entity or with the DHHS, and must identify a contact person within the practice who can provide additional information. Patients generally have the right to access, inspect and copy their medical records with some exceptions, such as psychotherapy notes or based upon a determination that the access would endanger the life or physical safety of the individual or another person. The practice must respond to a request for access within thirty (30) days of receiving the request, if the information is maintained or is accessible on site. The covered entity may charge a reasonable fee for copying and mailing.
Patients have the right to request the optometrist to amend the protected health information. That request may be denied if the optometric office determines that: 1) the protected information record that is the subject of the request was not made by the practice; 2) the information is not part of the designated record; 3) the information is accurate and complete. The patient has the right to receive an accounting of the disclosures made by the covered entity for purposes other than treatment, payment and health care operations. The accounting covers all disclosures made within the six (6) years prior to the request. However, disclosures that predate the compliance date do not have to be included in the accounting. The accounting must include a brief statement of the purpose of the disclosure and provide the address of the recipient of the disclosed information and that must be provided within sixty (60) days of receipt of the request. Patients have the right to receive one free accounting of the release of their information every twelve (12) months.
Administratively, optometric practices are required to adopt policies, procedures and systems in order to safeguard the privacy of PHI and assure patient rights. Generally, the optometric practice must:
1. Designate a privacy officer who is responsible for developing and implementing privacy policies and procedures. They must also designate a person who will provide additional information and is responsible for receiving complaints. That person may be one in the same individual.
2. The optometry practice must adopt written policies and procedures and must specify who shall have access to protected information, how far that information will be used within the entity and when protected information will or will not be disclosed. These policies and procedures must also ensure that the business associates affiliated with the practice protect covered information.
3. The practice must train all members of the work force so that they understand and comply with the privacy protections. There are sanctions for those who fail to comply with the training requirement.
4. The practice must establish a grievance procedure for patients to make inquiries or complaints about the privacy and content of their records.
The privacy rules are serious business. Compliance with the rules will be enforced by the Office of Civil Rights ("OCR"), a division of DHHS. OCR can impose a fine of $100 per individual violation, up to a maximum of $25,000 per person, per year for violations of the same requirement of the policy rules. Additionally, those who knowingly violate the HIPAA violations by improperly obtaining or disclosing PHI will be subject to criminal penalties up to $50,000 and one year in prison. Obtaining PHI under false pretenses could cost up to $100,000 and earn up to five (5) years in prison. If one has the intent to sell, transfer or use protected information for commercial advantage, personal gain or malicious harm then that person faces a fine of up to $250,000 and up to ten (10) years in prison.
Compliance with HIPAA will not be a simple process. Consent and authorization forms must be developed. Business associate agreements must be reviewed and, to the extent there are existing contracts they must be revised. Policies and procedures must be developed. Staff must be trained to be sensitive to the release of privacy information. Grievance procedures must be established. The practice must assure itself that compliance with the privacy rules and regulations is an ongoing process.
The good and bad news is that the privacy regulations do not take effect until April 14, 2003. This leaves 19 months before compliance must be achieved, but everyone has to start working on compliance as quickly as possible.