Now That You´ve Handled Y2K: Here Comes HIPAA´s New Federal Confidentiality Standards

The Secretary of the U.S. Department of Health and Human Services ("DHHS") has published for public comment proposed regulations that would establish comprehensive minimum privacy standards for medical information.1 Publication of the regulations was required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") following Congress' failure to pass legislation establishing federal medical privacy standards. Among other things, HIPAA establishes security and privacy standards intended to promote the standardized, electronic transmission of many administrative and financial healthcare transactions that are currently carried out manually on paper. According to the Wall Street Journal of January 3, 2000, consultants who have begun working on HIPAA estimate it could cost two or even three times as much as the year-2000 computer effort, which set the nation's hospitals back $8 billion.

The confidentiality of most health information is currently controlled by state law, and protections vary from state to state. The proposed federal regulations establish a uniform minimum 'floor' of confidentiality protection, preempting all contrary state laws unless those laws provide for more stringent protection. While some of the confidentiality concepts embodied in the regulations will be familiar, in many cases they go beyond existing laws and establish new concepts and standards. This Advisory highlights key provisions and new concepts of the proposed federal regulations.

Who Must Comply?
The regulations would apply to the following entities and individuals ("covered entities"):

• Healthcare providers. Entities and individuals that provide medical or other health services or furnish, bill, or are paid for healthcare services or supplies in the normal course of business. They include typical health institutions (e.g., hospitals) and individuals (e.g., physicians), as well as clinical laboratories, durable medical equipment suppliers, and pharmacies (including "online" Internet pharmacies).
  
• Health plans. Individual or group plans that provide for, or pay the cost of, medical care. They include managed care plans, insurance plans, government health plans (e.g., Medicare and Medicaid), and employee welfare benefit plans.
  
• Healthcare clearinghouses. Public or private entities that process or facilitate the processing of "nonstandard data elements" of health information into "standard data elements." They include billing services, community health information systems, and so-called "value-added" networks.

The regulations also will reach, albeit indirectly, entities and individuals referred to as "business partners" of covered entities (see below under What Are the Key Provisions and New Concepts?).

What Information Is Covered?
The regulations will apply to information related to an individual's health or medical condition that was created or received by a healthcare provider, health plan, clearing-house, or other specified person, and has at some point been put into electronic format, even if not currently in such format ("protected health information"). Information that has never been in electronic format is not covered.

What Are The Key Provisions And New Concepts?
The overall confidentiality scheme is similar to that currently used by most states. For example, the regulations permit certain uses of information without requiring patient authorization (e.g., allow internal sharing for treatment and administrative purposes). However, some key points and concepts are either new or substantially strengthened. These include:

• Minimum necessary disclosure. Disclosure of protected health information, even where authorized by law, is to be limited to the "minimum necessary" to accomplish the purpose for which disclosure is made.
• Business partners. Covered entities must have written contracts with individuals and entities that perform or assist them with a function or activity and receive protected health information ("business partners"). These contracts must include specified confidentiality assurances, the breach of which may be imputed to the covered entity. Further, these contracts must recognize individuals as third party beneficiaries, which, depending on state law, may allow individuals to sue covered entities for violations of their privacy rights. Business partners include individuals and entities such as lawyers, auditors, consultants, third party administrators, healthcare clearinghouses, and data processing and billing firms.
• Notice of information practices. Covered entities must provide patients with a written notice that in plain language describes their practices for handling and using protected health information (in sufficient detail to put the patient on notice of the uses and disclosures to be made of his/her protected health information) as well as the patients' rights with respect to that information.
• Patient rights. Patient rights include the right to access, inspect, and obtain copies of their health information, the right to request non-disclosure in certain circumstances, the right to request corrections and amendments to their health information, and the right to an accounting of disclosures of their information.
• Accounting of disclosures. Covered entities must give patients an accounting of all disclosures of protected health information, except for disclosures for treatment, payment, healthcare operations, and — in some circumstances — disclosures to health oversight or law enforcement agencies. Covered entities must have procedures that can give patients the date of each disclosure, the name and address of persons receiving protected health information, the information disclosed, the purpose for which disclosure was made, and copies of all requests for disclosure.
• Specified authorization forms. The regulations include detailed requirements for forms authorizing the release of protected health information. These requirements differ depending upon whether the authorization is initiated by the covered entity or the patient.
• Administrative procedures. Covered entities must have policies, procedures, and systems in place to protect health information and individual rights. Requirements include: designation of a privacy officer; privacy training for employees; safeguards to prevent intentional or accidental misuse of protected health information, and sanctions for employee violations of these requirements.
• De-identification. The regulations do not apply to health information that has been "de-identified" by removing, coding, encrypting, or otherwise eliminating or concealing all individually identifiable information. Information is presumed not to be individually identifiable if certain information, as specified in the regulations, is removed or otherwise concealed.
• Preemption of State law. The federal regulations preempt all 'contrary' state laws unless a state law is 'more stringent.'
  - Contrary. State law is deemed to be contrary to the federal standard when an entity would find it impossible to comply with both the state and federal requirements or when the state law is an obstacle to the accomplishment of the purposes and objectives of HIPAA. States may apply N O N P RO F I T to DHHS for time-limited exceptions to this provision for laws that promote important state interests.
• More stringent. A state law is more stringent than the federal standard if the state law
  - Further limits the use or disclosure of protected health information;
  - Provides individuals with greater rights of access to their health information (with exceptions for minors);
  - Increases penalties for unauthorized disclosure of information;
  - Allows for greater information or increased rights to individuals regarding the use of their health information;
  - Provides stricter terms for authorizing disclosure of health information;
  - Imposes stricter standards of record-keeping or accounting; or
  - Strengthens privacy protection for individuals.
  DHHS may issue advisory opinions, at the request of a state or on its own initiative, on the question of whether a particular state law is "more stringent."
• Penalties. Failure to comply with the regulations could result in significant civil monetary penalties (up to $25,000 per standard per year) or, in the event of certain wrongful disclosures, criminal penalties (fines ranging from $50,000 to $250,000 and possible jail time).

When Will This Go Into Effect?
The new standards will be enforceable twenty-four months after adoption, except that "small health plans" are given an additional twelve months to come into compliance.

What Should You Do Now?
Determine if the regulations apply to you. If so, become familiar with them and work through their implications for your organization. Speak up if you see problems with implementation of the regulations. DHHS will accept comments on the proposed regulations until February 17, 2000.

Begin preparations for coming into compliance with the new requirements. Compliance may require significant changes to existing policies and procedures, and advance preparation will be essential. While the final regulations may differ in some details from the proposed regulations described in this memorandum, the changes are unlikely to be significant.