United States: HIPAA Privacy Rules Mean Major Changes For Providers

The Bush Administration recently allowed new patient privacy regulations set out in the Health Insurance Portability and Accountability Act to take effect.  Essentially, the new privacy standards limit who can see a patient's medical records without prior written consent, and they provide strict guidelines about how such information can be handled.  The rules include new requirements regarding how providers maintain and exchange information electronically.  The standards will require major changes in how health care providers and organizations handle all facets of information management, including reimbursement, coding, security and patient records. Virtually all health care providers and health plans must comply with the new rules by April 14, 2003.

HIPAA’s privacy rules are expansive.  They are designed to protect any health information that relates to the past, present or future physical or mental health of a patient as well as the payment for health care services.  If this health information is maintained or transmitted in electronic, written or verbal forms, it is within the scope of HIPAA’s rules.  This means that even oral communications may need to be protected from unlawful use and disclosure.  For example, information that health care providers convey to patients when other family members are nearby may even be considered an unauthorized disclosure.

HIPAA not only restricts a health care provider’s use of protected health information but also grants patients the right to access and track their own health information.  This information may not be used without the patient’s written consent.  Any use or disclosure of a patient’s protected health information must be strictly limited to the "minimum necessary" to accomplish the legitimate purpose for such use.  There is confusion at this point as to what constitutes "minimum necessary."

HIPAA’s privacy rules also apply to health plans and companies that process health insurance claims.  However, HIPAA excludes certain types of health insurers, such as workers’ compensation and liability and disability plans, from its scope.  Business associates—any person or entity that provides services on behalf of a covered entity that receives protected health information from that covered entity—also must comply.  Examples include businesses or persons that provide a covered entity with legal, actuarial, accounting, consulting, data aggregation, management, accreditation or financial services.

HIPAA lists many procedures that covered entities will need to implement by 2003.  For example, entities must provide patients with notice of its privacy practices, give patients access to their own protected health information and grant them the opportunity to correct or amend their protected health information.  Further, covered entities must also give patients, upon request, an accounting of the use or disclosure of their protected health information.  Patients also may request a covered entity to establish additional safeguards.

Gray, Harris & Robinson is available to assist providers in preparing for the new HIPAA privacy regulations.  We can help establish new policies, procedures and privacy systems to protect patient health information.  Our services include appropriate education and training of these new regulations.  HIPAA policies and procedures should be integrated into an overall corporate compliance plan that will assist in governing your entire corporate structure.

Civil penalties for violations of HIPAA are severe.  Sanctions include $100 per violation to a maximum of $25,000 per year for continued violation of a single requirement or prohibition.  Criminal penalties include:

• Wrongful disclosure:   $5,000 and up to one year in jail
• False pretenses:   $10,000 and up to five years in jail
• For profit with malice:   $250,000 and up to 10 years in jail