United States: Traps For The Unwary: New Federal Privacy Mandates

This is one example of the impact of new regulations issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These new regulations are designed to safeguard the privacy of patients' health information and restrict the conditions under which physicians, hospitals and health plans may divulge such information without the patients' consent.

The proposed privacy rules state that covered entities are prohibited from using or disclosing "protected health information" without specific authorization from the patient except as provided in the rule. "Protected health information" means individually identifiable healthcare information that is electronically maintained or transferred in any manner. For example, electronic transmission has been interpreted to include a physician sending a fax or an electronic mail inquiry made by an insurance carrier. The rules do not apply to information or paper records that have never been maintained or transmitted electronically. However, once information has been maintained or transmitted electronically, the proposed rule would apply the privacy standard to paper records that are generated from the electronic record, or were used as a source of data input, because it is the information and not the specific record that is protected.

Therefore, when an individual's name and diagnostic code is transmitted electronically between a party subject to the rules and that party's business partner (as defined in the privacy rules) the underlying information becomes covered by the privacy rule and must be given the same privacy protections. For example, a physician may not avoid the rules by maintaining paper records and having a billing agent handle electronic transmissions. The physician must treat the information contained in the paper records in accordance with the proposed privacy rules.

Under most circumstances, the proposed privacy rules permit covered organizations to disclose the minimum necessary health information for purposes of treatment, payment or healthcare operations without obtaining a specific authorization from the patient. Because a provider is required to take reasonable steps to disclose no more than the minimum amount of health information necessary to treat the patient and obtain payment for its services, the provider must have written procedures in place describing what information should be used or disclosed. For example, if a provider receives a request for an entire patient record, the provider must assess whether a portion of the record would satisfy the request.

The proposed rule spells out situations in which a covered entity can use patient information only upon the specific authorization of the individual. In addition to the fundraising example cited above, these include: (i) using individually identifiable patient information for marketing purposes; (ii) selling or renting health information; (iii) disclosing health information to a non-health related division of the entity for use in marketing life insurance, casualty insurance or banking services; (iv) disclosing information to a health plan prior to an individual's enrollment in the plan for purposes of eligibility or enrollment determinations, or for underwriting determinations; and (v) disclosing to an employer a patient's health information for employment determinations. The specific authorization which must be obtained in the above circumstances must be separate and distinct from any other authorization request. Therefore, the general authorization included on many providers' claim forms or health plans' enrollment forms is not adequate.

The proposed privacy mandates apply broadly to "covered entities" - health plans, healthcare clearinghouses, and healthcare providers which maintain and transmit patient information in electronic form. The definition of health plans includes licensed insurers, HMOs, and self-funded group health plans.

Healthcare providers which do not conduct electronic transactions themselves are subject to the rule if another entity such as a billing service or hospital transmits information in electronic form on their behalf. Entities which receive protected information are not considered covered entities; however, the rule does extend to "business partners" of health plans, providers and claims clearinghouses. Examples of business partners include third party administrators, billing companies, consultants, accountants, attorneys and accreditation organizations such as JCAHO or the NCQA.

Business partner agreements must be signed by the covered entity and its business partners to insure that there is no further disclosure of information other than as permitted by the proposed rule. In fact, claims clearinghouses, although covered entities, are also deemed to be business partners of the providers they submit claims for and therefore must enter into business partner agreements with such providers before transmitting protected patient information.

The rule sets forth specific requirements as to the language to be included in the business partner agreements. The rules are designed to create business partner agreements between covered entities and administrative and support services organizations that perform outsourced services. Transmission of electronic health information between providers for consultation and referral purposes does not require such an agreement. Business partner agreements between providers and insurers or other providers such as pharmacies and DME vendors are not required because those entities perform activities directly for patients.

The privacy rule creates new criminal and civil penalties for improper use or disclosure of protected patient information. If a patient believes that his or her health information has been used or disclosed improperly, a complaint may be filed with the Secretary of Health and Human Services. The government will then investigate complaints filed and determine whether a violation has occurred. If a violation has occurred, civil monetary penalties may be imposed. Civil fines of up to $25,000 for each calendar year for violation of a single requirement are provided in the rule. If it can be proven that the covered entity knowingly violated the privacy requirements, fines as high as $250,000 and 10 years in prison may be imposed.

The government, on its own initiative, may conduct a compliance review to determine whether the covered entity or its business partners are complying with the proposed regulations. A covered entity is itself in violation of the regulations if it knows or should have known that its business partner breached the privacy requirements under the terms of the business partner agreement and fails to take reasonable steps to cure that problem or terminate the business partner agreement.

It is expected that a final rule will be published by the Department of Health and Human Services in the spring of this year, with an effective date 24 months following publication. We recommend that healthcare providers, health plans and claims clearinghouses take the following steps to prepare for compliance with the new rule:

1. Begin educating staff on the basic requirements set forth in the new privacy rule. Be sure staff members understand the importance of the rule and the consequences for non-compliance.
2. Update policies and procedures regarding the release of patient information.
3. Determine the amount of information that is appropriate to release to other entities, the entities to which such information can be released, and establish safeguards to make sure that only the minimum necessary information is released.
4. Examine your information systems to determine whether selective access to portions of the health record is permitted. Can certain fields be deleted when transmitting records in order to comply with the "minimum necessary" requirements?
5. Insure that diagnostic or treatment information is not transmitted to banking institutions which simply process payment transactions.
6. Identify your organization's business partners for purposes of negotiating and executing business partner agreements.
7. Begin to inform health plan members about what the health plan is doing to safeguard their medical record information.
8. Provide guidelines to patients and health plan members as to how they can access their health information.
9. Consider using an ombudsmen approach to establish a system where health plan members can report suspected breaches of confidentiality to the health plan's administration.
10. Modify your organization's compliance program to include a procedure to detect the inappropriate use and release of information in order to avoid civil and criminal penalties for the unauthorized use or disclosure of such information.

The rule requires that individuals be given a notice that includes the following information:

Uses and disclosures of the patient's information following authorization;

Notification advising the individual of the ability to restrict disclosure of the information;

Notification of the patient's right to inspect and copy information;

Notification advising the patient of his or her ability to amend or correct the health information;

Notification that the patient may have an accounting of the various disclosures of the information made by the covered entity;

Notice of the covered entity's policies and procedures with respect toprotected patient information;

Notice of the individual's right to complain if he or she believes privacy rights have been violated

Ironically, the complex requirements of the proposed federal privacy rule are derived from the administrative simplification provisions of HIPAA. These proposed rules, which are expected to become final in the next few months, will present challenges to covered entities due to their complexity. It should be noted that the new rule does not preempt state medical record protections which already exist. Laws which are more restrictive, such as those dealing with the release of mental health and HIV/AIDS information will remain in effect after the proposed federal rule becomes final.