The Health Insurance Portability and Accountability Act (HIPAA) contains administrative simplification provisions that are designed to encourage health care providers and health plans to process health claims and payments (and to perform other administrative functions) electronically, using standard transactions and uniform code sets. The administrative simplification provisions also include privacy and security safeguards for protected health information (PHI) held by health care providers, insured or self-insured health plans or billing clearinghouses (collectively referred to as covered entities).
A. Privacy Guidance From The Enforcers
Enforcement authority for the HIPAA privacy regulations rests with the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services. However, until recently, OCR had not provided any guidance on how it would interpret the privacy regulations and what its enforcement approach would be.
That changed on December 3, 2002, when OCR issued 123 pages of informal guidance on 11 separate privacy issues, plus a general overview, as well as answers to frequently-asked questions. OCR plans to address additional issues and answer more frequently-asked questions in the future. The guidance is not binding on the courts, and is technically not binding on OCR. Nonetheless, it is useful because it gives a glimpse of the agency's thinking and approach to privacy enforcement. (The guidance is available at http://www.hhs.gov/ocr/privacy/.)
B. Size Matters
Throughout the new guidance, OCR emphasizes reasonableness, flexibility, and scalability in the interpretation and application of the regulations. For example, referring to the requirement that each covered entity appoint a privacy officer, OCR distinguishes between small physician practices and large providers or plans: "The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board."
Similarly, the guidance indicates that a small physician practice might comply with the requirement that employees be trained in privacy protection by giving new employees a copy of the practice's privacy policies and procedures, and documenting that the new employees have reviewed them, while a larger covered entity might need to provide live instruction, video presentations, or interactive software programs.
The new guidance also addresses disclosures that are incidental to other, permitted disclosures. This category of permitted dis- closure was added to the privacy regulations by the August, 2002 modifications, and such disclosures are permitted only if the covered entity has applied reasonable safeguards and implemented the minimum necessary standard.
For example, OCR has stated that a health care provider may leave a message for a patient on the patient's answering machine or with a family member or other person who answers the phone when the patient is not home. OCR cautions, however, that the provider's obligation to safeguard the patient's privacy may require the provider to limit the amount of information disclosed. When leaving a message on an answering machine, OCR suggests that the provider "consider leaving only its name and number and other information necessary to confirm an appointment," or simply ask the patient to call back.
When leaving a message with another person who answers the patient's phone, OCR states that the provider "should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed." In both situations, OCR notes that if the patient has requested that the provider communicate with the patient by alternative means or at an alternative location, the provider must do so if reasonable.
D. Business Associates
The new guidance is particularly helpful in determining who are a covered entity's business associates. Under the privacy regulations, a covered entity must enter into a business associate agreement with a person or entity (other than a member of the covered entity's workforce) that performs services for the covered entity that involve the use or disclosure of PHI.
There has been much discussion, and some disagreement, about who falls into the business associate category. OCR provides examples of business associates, including CPAs who provide accounting services to covered entities if the services require the disclosure of PHI; independent medical transcriptionists; and accreditation organizations that accredit the covered entity.
The guidance specifically addresses janitorial services, and OCR takes the position that a janitorial service that cleans the offices of a covered entity is not a business associate because the work does not require the disclosure of PHI, and any contact with PHI is limited and merely incidental.
On the other hand, OCR takes the position that a service provider hired for routine handling or shredding of documents that contain PHI is probably a business associate, because its contact with PHI is not limited.
The new guidance takes a very practical approach to HIPAA privacy compliance, and emphasizes reasonableness, flexibility, and scalability. The horror stories about soundproofing examination rooms, the demise of the sign-in sheet, and government investigators breathing down the necks of covered entities have no basis, and a covered entity that makes a diligent and honest effort to comply with the privacy regulations will probably not face significant enforcement sanctions from OCR, at least for now.