HIPAA Privacy Standards for Electronic Exchange of Health Info
This article appeared in the July 25,2000 issue of "The Daily Record".
The use of, and reliance on, the electronic exchange of health care information has increased dramatically during the last decade. It is no longer the exception, but now the rule, for medical records to be maintained in an electronic format, and for health care claims to be sent, and payments to be made, electronically. As a consequence of the boom of "e-health," a host of issues have emerged, such as patient privacy expectations, security, and standardization of codes.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires a series of public rules to be issued by the Department of Health and Human Services (DHHS) addressing the following: (1) transactions and code sets; (2) national provider identifiers; (3) national employer identifiers; (4) security; (5) privacy/confidentiality; (6) national health plan identifiers; (7) claims attachments; (8) enforcement; and (9) national individual identifiers.
So far, DHHS has issued proposed rules with respect to transactions and code sets (5/7/98), national provider identifiers (5/7/98), national employer identifiers (6/16/98), security (8/12/98), and privacy/confidentiality (11/3/99). The transactions and code sets rules are expected to be finalized soon. However, the proposed rules for national health plan identifiers, claims attachments, and enforcement have yet to be published, and the publication of the proposed rule for national individual identifiers is on hold.
The proposed rule with respect to privacy/confidentiality is titled the "Standards for Privacy of Individually Identifiable Health Information" (Proposed Privacy Rule), and is the focus of this article.
Scope of Rule
The reach of the Proposed Privacy Rule is broad. Protection is afforded to "electronic information" in the hands of a "covered entity." Information becomes electronic either by being sent electronically or by being maintained in a computer system, even if the information is no longer in electronic form.
"Covered entities" are health plans, health care clearinghouses, and health care providers who transmit information electronically. Even health care providers who themselves do not conduct electronic transactions would be subject to the Proposed Privacy Rule, if another entity, such as a billing company, transmits information in electronic form on their behalf.
"Covered entities" are prohibited from using or disclosing protected health information, except as authorized by the patient or as explicitly permitted by the Proposed Privacy Rule.
The amount of information permitted to be used or disclosed is restricted to the minimum amount necessary to accomplish the relevant purpose. The Proposed Privacy Rule does, however, permit use and disclosure of health information without authorization for purposes of health care treatment, payment and operations.
The Proposed Privacy Rule also permits covered entities to disclose protected information to "business partners," such as lawyers, consultants and auditors. Although such business partners themselves are not covered entities, the Proposed Privacy Rule imposes an obligation on the covered entity to enter into contracts with its business partners to ensure that disclosed protected information remains confidential. These contracts would not be required, however, where the business partner is providing treatment, consultation or a referral.
Patients would have new rights, including the right to receive a written notice of information practices from health plans and providers, and an accounting of health information disclosures. Although there would be no right for a patient to sue if a provider does not meet these requirements, the government could impose both civil money and criminal penalties on health plans and providers who do not comply with the requirements.
The Proposed Privacy Rule is not intended to supercede other legally mandated disclosures, such as disclosures required in connection with abuse investigations and law enforcement activities. Further, the Proposed Privacy Rule only supercedes state laws to the extent such laws have less stringent privacy protection.
After publishing the Proposed Privacy Rule, DHHS was inundated with comments - the original comments deadline of January 3, 2000 was pushed back to February 17, 2000. At this time, the target date for publication of the final privacy rule is unknown; however, the final privacy rule would become effective twenty-six (26) months after publication.
In the meantime, since the Proposed Privacy Rule will likely be applicable to almost everyone in the health care field and to anyone who does business with anyone in health care, health care providers should now be gearing up for compliance. The first step they should take is to evaluate their existing privacy/confidentiality practices. It is also time to consider developing detailed policies and procedures to safeguard against the misuse of individually identifiable health care information, if such policies are not already in place.
June 30, 2000